使用SPNEGO的Tomcat用户的SSO失败

时间:2015-05-14 01:13:53

标签: java tomcat single-sign-on spnego

我在tomcat服务器上运行了一个应用程序。此应用程序使用SPNEGO模块使用Active Directory进行身份验证。

我们采取的步骤使这个设置工作:

  1. Tomcat APP添加到AD
  2. 对APP进行REST API登录调用。此REST API调用将使用SPNEGO对AD执行身份验证/授权。
  3. 作为全新APP初始化的一部分,我们首次启动该应用,并将此应用主机添加到AD域。然后使执行AD授权的API调用失败,并显示以下错误。

    类型例外报告:

    message GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
    
    description The server encountered an internal error that prevented it from fulfilling this request.
    
    exception
    
    javax.servlet.ServletException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
        net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:238)
    root cause
    
    GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
        sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
        sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
        sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
        sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
        sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
        sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
        sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
        net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
        net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
        net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:234)
    root cause
    
    KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
        sun.security.krb5.KrbApReq.authenticate(Unknown Source)
        sun.security.krb5.KrbApReq.<init>(Unknown Source)
        sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
        sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
        sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
        sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
        sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
        sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
        sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
        sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
        net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
        net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
        net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:234)
    note The full stack trace of the root cause is available in the Apache Tomcat/6.0.36 logs.
    

    这表示SPNEGO无法找到解密与AD通信的密钥。

    当我重新启动tomcat时,问题就消失了。在重新启动后如果Tomcat,用户可以成功执行基于SSO的授权。

    我检查了keytab文件,一切正常。我们正在使用RC4-HMAC加密。还在主机上正确配置了login.conf和krb5.conf。 (因为重启后一切正常)

    我在tomcat pid上运行strace以查看SPNEGO是否读取了keytab文件。似乎Tomcat / SPNEGO正在调用该文件的stat,但从未打开它。 Tomcat / SPNEGO认为无论它缓存的是什么都是正确的。

    以下是该电话的行:

    7832  1431560872.430550 stat("/var/pgsql/sync-dir/samba/tomcat-user.keytab",  <unfinished ...>
    7832  1431560872.443416 <... stat resumed> {st_mode=S_IFREG|0600, st_size=894, ...}) = 0
    

    我从来没有看到读取它。

    如果有人看到SPNEGO缓存信息的问题,请告诉我,当我们重启Tomcat时问题就会消失

0 个答案:

没有答案