Question

我正在尝试在Linux上的Tomcat中运行的Java Web应用程序中设置kerberos身份验证。我正在使用spring security kerberos扩展。我正在使用：

jdk 1.7u75
spring-security-kerberos 1.0.0.RELEASE
MS Active Directory

在我的本地开发机器（Windows）上，一切运行正常。但在将应用程序部署到Linux机器后，身份验证不再有效。我强烈怀疑我的Kerberos配置出了问题：

[libdefaults]
  default_realm = INT.MYCOMPANY.DE
  ccache_type=4
  kdc_tymesync=1
  forwardable=true
  proxiable=true

[realms]
  INT.MYCOMPANY.DE = {
   admin_server = xyz.mycompany.de
   kdc = xyz.mycompany.de
   }

[domain_realm]
.INT.MYCOMPANY.DE = INT.MYCOMPANY.DE
int.mycompany.de = INT.MYCOMPANY.DE
.int.mycompany.de = INT.MYCOMPANY.DE
.mycompany.de = INT.MYCOMPANY.DE
mycompany.de = INT.MYCOMPANY.DE

[logging]
#kdc = console

（服务器和领域名称已更改）

Spring安全配置：

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

    <context:property-placeholder location="file:${externalPropertiesPath}/edlgui.properties" />

    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="kerberosAuthenticationProvider" />
    </authentication-manager>

    <http use-expressions="true">
        <intercept-url pattern="/login.jsp" access="permitAll" />
        <intercept-url pattern="/admin/**" access="hasRole('${edl.gui.authorization.requiredrole}')" />
        <form-login login-page="/login.jsp" username-parameter="username" password-parameter="password" default-target-url="/admin"/>
        <logout logout-url="/logout" logout-success-url="/login.jsp" />
        <http-basic />
        <access-denied-handler ref="edlGuiAccessDeniedHandler"/>
    </http>

    <beans:bean id="edlGuiAccessDeniedHandler" class="edl.security.EdlGuiAccessDeniedHandler">
        <beans:constructor-arg value="/login.jsp"/>
    </beans:bean>

    <beans:bean id="kerberosAuthenticationProvider" class="org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider">
        <beans:property name="kerberosClient">
            <beans:bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient">
                <beans:property name="debug" value="false" />
            </beans:bean>
        </beans:property>
        <!-- TODO replace dummy user service -->
        <beans:property name="userDetailsService" ref="ldapUserDetailsService" />
    </beans:bean>

    <beans:bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">
        <beans:property name="debug" value="false" />
        <!-- externalPropertiesPath path = /opt/pksvc/tomcat/current/conf -->
        <beans:property name="krbConfLocation" value="file:${externalPropertiesPath}/krb5.conf"/>
    </beans:bean>

    <!-- Get User Details via LDAP -->
    <!-- It would be nice to do this via Kerberos, however that requires a keytab -->
    <ldap-user-service id="ldapUserDetailsService"
        server-ref="activeDirectoryLdap"
        user-search-base="${edl.gui.ldap.usersearchbase}"
        user-search-filter="${edl.gui.ldap.usersearchfilter}"
        group-search-base="${edl.gui.ldap.groupsearchbase}"
        group-role-attribute="${edl.gui.ldap.grouproleattribute}"
        group-search-filter="${edl.gui.ldap.groupsearchfilter}"
        user-details-class="person"/>
    <ldap-server id="activeDirectoryLdap"
        url="${edl.gui.ldap.url}"
        manager-dn="${edl.gui.ldap.managerdn}"
        manager-password="${edl.gui.ldap.managerpw}"
        root="${edl.gui.ldap.root}"/>

</beans:beans>

当我尝试登录时，我从kerberos调试输出中看到的唯一内容是：

Java config name: file:/opt/pksvc/tomcat/current/conf/krb5.conf
getRealmFromDNS: trying mycompany.de

（我希望看到'KrbAsReq创建消息'和'KrbKdcReq发送'条目）

从春天开始：

2015-08-04 10:07:42.986 DEBUG o.s.security.web.FilterChainProxy - /j_spring_security_check at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-08-04 10:07:42.986 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2015-08-04 10:07:42.986 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@64656737. A new one will be created.
2015-08-04 10:07:42.986 DEBUG o.s.security.web.FilterChainProxy - /j_spring_security_check at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-08-04 10:07:42.986 DEBUG o.s.security.web.FilterChainProxy - /j_spring_security_check at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2015-08-04 10:07:42.987 DEBUG o.s.security.web.FilterChainProxy - /j_spring_security_check at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2015-08-04 10:07:42.987 DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Request is to process authentication
2015-08-04 10:07:42.987 DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider
2015-08-04 10:07:42.987 DEBUG o.s.s.k.a.sun.SunJaasKerberosClient - Trying to authenticate KieselGun with Kerberos
2015-08-04 10:07:42.993 DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Kerberos authentication failed
2015-08-04 10:07:42.993 DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
2015-08-04 10:07:42.993 DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@72f106b0
2015-08-04 10:07:42.993 DEBUG o.s.s.w.a.SimpleUrlAuthenticationFailureHandler - Redirecting to /login.jsp
2015-08-04 10:07:42.993 DEBUG o.s.s.web.DefaultRedirectStrategy - Redirecting to '/edl-gui/login.jsp'
2015-08-04 10:07:42.993 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-08-04 10:07:42.994 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2015-08-04 10:07:43.042 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-08-04 10:07:43.043 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2015-08-04 10:07:43.043 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@64656737. A new one will be created.
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2015-08-04 10:07:43.044 DEBUG o.s.s.w.s.DefaultSavedRequest - pathInfo: both null (property equals)
2015-08-04 10:07:43.044 DEBUG o.s.s.w.s.DefaultSavedRequest - queryString: both null (property equals)
2015-08-04 10:07:43.044 DEBUG o.s.s.w.s.DefaultSavedRequest - requestURI: arg1=/edl-gui/admin; arg2=/edl-gui/login.jsp (property not equals)
2015-08-04 10:07:43.044 DEBUG o.s.s.w.s.HttpSessionRequestCache - saved request doesn't match
2015-08-04 10:07:43.044 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2015-08-04 10:07:43.044 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2015-08-04 10:07:43.044 DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 172.20.65.226; SessionId: F2C563CA5780A3024AE7D89390CE0AB1; Granted Authorities: ROLE_ANONYMOUS'
2015-08-04 10:07:43.044 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2015-08-04 10:07:43.044 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2015-08-04 10:07:43.045 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2015-08-04 10:07:43.045 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login.jsp'; against '/login.jsp'
2015-08-04 10:07:43.045 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /login.jsp; Attributes: [permitAll]
2015-08-04 10:07:43.045 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 172.20.65.226; SessionId: F2C563CA5780A3024AE7D89390CE0AB1; Granted Authorities: ROLE_ANONYMOUS
2015-08-04 10:07:43.045 DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@265c45f7, returned: 1
2015-08-04 10:07:43.045 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
2015-08-04 10:07:43.045 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
2015-08-04 10:07:43.045 DEBUG o.s.security.web.FilterChainProxy - /login.jsp reached end of additional filter chain; proceeding with original chain
2015-08-04 10:07:43.046 DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
2015-08-04 10:07:43.046 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-08-04 10:07:43.046 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

因此，似乎用户以匿名身份进行身份验证，之后我回到登录页面，因为匿名用户无法访问。

有谁能告诉我配置有什么问题？或者我如何进一步分析这个？

Answer 1

我不确定jdk的krb实现如何在linux和win之间有所不同。显然存在一些差异，因为在linux中jdk将尝试查找默认/etc/krb5.conf并且还有一个我现在不记得的默认位置。我认为在胜利中类似的调整适用于jdk。您可以事件暂时重命名默认krb5.conf文件以确保它未被使用（并且配置错误）。

我在这里黑暗中拍摄，但让我们随意猜测。当我制作所有样品但最终完成所有工作时，我遇到了各种各样的麻烦。在某些时候（在linux中）当我完全迷失了，如果失败是由我们的spring-security-kerberos libs引起的，或者与kerberos设置等有关，我发现在jdk之外测试kerberos设置非常有价值。请参阅http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#troubleshooting，特别是尝试将ldapsearch从linux连接到AD。您不需要使用keytabs，因为如果设置正确，kinit应该允许您从AD获取票证。

我有一件事：

[realms]
EXAMPLE.ORG = {
  kdc = WIN-EKBO0EQ7TS7.example.org:88
}

我认为我有这个端口88是有原因的，如果没有定义，可能会有一些不同的默认值linux / win jdk。

如果enctypes使用不同的那些以及linux jdk支持的内容，则支持AD。这是您应该从jdk内部krb调试日志中看到的内容。此外，如果您能够从kinit反对AD，那么klist将显示关键的enctype。

Answer 2

我发现在Windows的本地环境和linux环境中，未使用GlobalSunJaasKerberosConfig krbConfLocation（见下文）中指定的krb5.conf。虽然调试输出显示此文件，但所做的更改没有任何效果。在我的Windows环境中，我有一个正确设置的kerberos配置（我仍然不知道它在哪里，我在任何地方都没有krb5.ini ......）在linux环境中我没有。结果，kerberos在linux环境中失败了。

我设法通过设置环境变量java.security.krb5.realm和java.security.krb5.kdc（参见https://blogs.oracle.com/wangwj/entry/kerberos_programming_on_windows）来解决此问题。通过这些设置kerberos认证工作。

未使用此bean的krbConfLocation：

<beans:bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">
        <beans:property name="debug" value="false" />
        <beans:property name="krbConfLocation" value="file:${externalPropertiesPath}/krb5.conf"/>
    </beans:bean>

如何在Tomcat / linux服务器上配置kerberos？

2 个答案: