Spnego Kerberos Spring SSO

时间:2016-02-04 14:27:46

标签: spring single-sign-on kerberos spnego

我正在尝试实施基于SPNEGO Kerberose的SSO,遵循http://spnego.sourceforge.net/pre_flight.html的说明。在tomcat中部署示例应用程序时,我收到以下错误。

javax.servlet.ServletException: javax.security.auth.login.LoginException: Cannot locate default realm
    at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:198)
    at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:273)
    at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:254)
    at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:372)
    at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:98)
    at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4542)
    at org.apache.catalina.core.StandardContext$2.call(StandardContext.java:5220)
    at org.apache.catalina.core.StandardContext$2.call(StandardContext.java:5215)
    at java.util.concurrent.FutureTask.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.auth.login.LoginException: Cannot locate default realm
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
    at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.access$000(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
    at javax.security.auth.login.LoginContext.login(Unknown Source)
    at net.sourceforge.spnego.SpnegoAuthenticator.<init>(SpnegoAuthenticator.java:161)
    at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:196)
    ... 11 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    ... 26 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
    ... 27 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
    at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)

以下是我的krb5.conf文件的内容

[libdefaults]
default_realm = VSSO.LOCAL
default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
allowed_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
[领域]
    VSSO.LOCAL = {
        kdc = adsrv.vsso.local
        default_domain = VSSO.LOCAL
}

以下是login.conf文件

spnego-client {
    com.sun.security.auth.module.Krb5LoginModule required;
};

spnego-server {
    需要com.sun.security.auth.module.Krb5LoginModule
    storeKey =真
    isInitiator = FALSE;
};
[domain_realm]
    .VSSO.LOCAL = VSSO.LOCAL

关于这个问题的任何想法?

1 个答案:

答案 0 :(得分:0)

问题是由于自定义的'SunJaasKerberosTicketValidator'类,我已删除此自定义类,此问题现已解决。

但我现在面临另一个问题。

GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
    sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
    net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
    net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:229)


root cause 

KrbException: Checksum failed
    sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source)
    sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source)
    sun.security.krb5.EncryptedData.decrypt(Unknown Source)
    sun.security.krb5.KrbApReq.authenticate(Unknown Source)
    sun.security.krb5.KrbApReq.<init>(Unknown Source)
    sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
    sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
    net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
    net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:229)


root cause 

java.security.GeneralSecurityException: Checksum failed
    sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(Unknown Source)
    sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(Unknown Source)
    sun.security.krb5.internal.crypto.Aes256.decrypt(Unknown Source)
    sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source)
    sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source)
    sun.security.krb5.EncryptedData.decrypt(Unknown Source)
    sun.security.krb5.KrbApReq.authenticate(Unknown Source)
    sun.security.krb5.KrbApReq.<init>(Unknown Source)
    sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
    sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
    net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
    net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:229)

EType:sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType

我已经将jdk1.7的无限安全策略文件复制到我的jre / lib / security文件夹中。 我正在使用OS Windows 2008 R2

关于这个问题的任何想法?

修改

我仍然遇到以下解码问题

GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96)
    sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
    net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
    net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:229)