我正在尝试实施基于SPNEGO Kerberose的SSO,遵循http://spnego.sourceforge.net/pre_flight.html的说明。在tomcat中部署示例应用程序时,我收到以下错误。
javax.servlet.ServletException: javax.security.auth.login.LoginException: Cannot locate default realm
at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:198)
at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:273)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:254)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:372)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:98)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4542)
at org.apache.catalina.core.StandardContext$2.call(StandardContext.java:5220)
at org.apache.catalina.core.StandardContext$2.call(StandardContext.java:5215)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.auth.login.LoginException: Cannot locate default realm
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at net.sourceforge.spnego.SpnegoAuthenticator.<init>(SpnegoAuthenticator.java:161)
at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:196)
... 11 more
Caused by: KrbException: Cannot locate default realm
at sun.security.krb5.PrincipalName.<init>(Unknown Source)
... 26 more
Caused by: KrbException: Cannot locate default realm
at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
... 27 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
以下是我的krb5.conf文件的内容
[libdefaults]
default_realm = VSSO.LOCAL
default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
allowed_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
[领域]
VSSO.LOCAL = {
kdc = adsrv.vsso.local
default_domain = VSSO.LOCAL
}
以下是login.conf文件
spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server {
需要com.sun.security.auth.module.Krb5LoginModule
storeKey =真
isInitiator = FALSE;
};
[domain_realm]
.VSSO.LOCAL = VSSO.LOCAL
关于这个问题的任何想法?
答案 0 :(得分:0)
问题是由于自定义的'SunJaasKerberosTicketValidator'类,我已删除此自定义类,此问题现已解决。
但我现在面临另一个问题。
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:229)
root cause
KrbException: Checksum failed
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source)
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source)
sun.security.krb5.EncryptedData.decrypt(Unknown Source)
sun.security.krb5.KrbApReq.authenticate(Unknown Source)
sun.security.krb5.KrbApReq.<init>(Unknown Source)
sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:229)
root cause
java.security.GeneralSecurityException: Checksum failed
sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(Unknown Source)
sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(Unknown Source)
sun.security.krb5.internal.crypto.Aes256.decrypt(Unknown Source)
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source)
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source)
sun.security.krb5.EncryptedData.decrypt(Unknown Source)
sun.security.krb5.KrbApReq.authenticate(Unknown Source)
sun.security.krb5.KrbApReq.<init>(Unknown Source)
sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:229)
EType:sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
我已经将jdk1.7的无限安全策略文件复制到我的jre / lib / security文件夹中。 我正在使用OS Windows 2008 R2
关于这个问题的任何想法?
我仍然遇到以下解码问题
GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:229)