WildFly 10在Windows上运行,具有kerberos身份验证

时间:2016-03-29 15:41:45

标签: kerberos spnego wildfly-10

我必须配置wildfly 10以支持针对Microsoft Active Directory的SSO。服务器正在Windows Server 2012 R2上运行。

我尝试了谷歌发现的一些配置和推荐。

每次我

  

PBOX00206:登录失败:javax.security.auth.login.LoginException:Continuation Required。

这不一定是错误,因为它只在DEBUG打开时显示。

网络浏览器获取 401 - 未经授权

我被困在上面。

你知道什么是错的或我现在能做什么吗?

standalone.xml(仅限部分)

<system-properties>
  <property name="jboss.security.disable.secdomain.option" value="true" />
  <property name="sun.security.krb5.debug" value="true" />
  <property name="java.security.krb5.kdc" value="dns.xxx.cz" />
  <property name="java.security.krb5.realm" value="XXX.CZ" />
  <property name="java.security.krb5.conf" value="d:\\krb5.conf" />
</system-properties>

<security-domain name="host" cache-type="default">
  <authentication>
    <login-module code="Kerberos" flag="required">
      <module-option name="debug" value="true"/>
      <module-option name="storeKey" value="true"/>
      <module-option name="refreshKrb5Config" value="true"/>
      <module-option name="useKeyTab" value="true"/>
      <module-option name="doNotPrompt" value="true"/>
      <module-option name="keytab" value="d:\\web.keytab"/>
      <module-option name="principal" value="HTTP/server.xxx.cz@XXX.CZ"/>
    </login-module>
  </authentication>
</security-domain>

<security-domain name="SPNEGO" cache-type="default">
  <authentication>
    <login-module code="SPNEGOUsers" flag="required">
      <module-option name="password-stacking" value="useFirstPass"/>
      <module-option name="serverSecurityDomain" value="host"/>
    </login-module>
    <login-module code="AdvancedLdap" flag="requisite">
      <module-option name="jaasSecurityDomain" value="host"/>
      <module-option name="password-stacking" value="useFirstPass"/>
      <module-option name="java.naming.security.authentication" value="simple"/>
      <module-option name="java.naming.provider.url" value="ldap://192.168.1.1:3268"/>
      <module-option name="bindDN" value="CN=svc,DC=xxx,DC=cz"/>
      <module-option name="bindCredential" value="password"/>
      <module-option name="baseCtxDN" value="DC=xxx,DC=cz"/>
      <module-option name="baseFilter" value="(userPrincipalName={0})"/>
      <module-option name="rolesCtxDN" value="DC=xxx,DC=cz"/>
      <module-option name="roleAttributeIsDN" value="true"/>
      <module-option name="roleAttributeID" value="memberOf"/>
      <module-option name="roleNameAttributeID" value="cn"/>
      <module-option name="recurseRoles" value="true"/>
      <module-option name="allowEmptyPassword" value="false"/>
    </login-module>
  </authentication>
</security-domain>

WildFly输出

 2016-03-29 13:51:26,011 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) removeRealmFromPrincipal=false
 2016-03-29 13:51:26,026 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) serverSecurityDomain=host
 2016-03-29 13:51:26,026 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) usernamePasswordDomain=null
 2016-03-29 13:51:26,026 INFO  [stdout] (default task-4) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is HTTP/server.xxx.cz@xxx.CZ tryFirstPass is false useFirstPass is false storePass is false clearPass is false
 2016-03-29 13:51:26,026 INFO  [stdout] (default task-4) Java config name: d:\\krb5.conf
 2016-03-29 13:51:26,026 INFO  [stdout] (default task-4) Loaded from Java config
 2016-03-29 13:51:26,026 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
 2016-03-29 13:51:26,026 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTab: load() entry length: 55; type: 1
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTab: load() entry length: 55; type: 3
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTab: load() entry length: 63; type: 23
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTab: load() entry length: 79; type: 18
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) >>> KeyTab: load() entry length: 63; type: 17
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) Looking for keys for: HTTP/server.xxx.cz@xxx.CZ
 2016-03-29 13:51:26,042 INFO  [stdout] (default task-4) Added key: 17version: 4
 2016-03-29 13:51:26,058 INFO  [stdout] (default task-4) Added key: 18version: 4
 2016-03-29 13:51:26,058 INFO  [stdout] (default task-4) Added key: 23version: 4
 2016-03-29 13:51:26,058 INFO  [stdout] (default task-4) Found unsupported keytype (3) for HTTP/server.xxx.cz@xxx.CZ
 2016-03-29 13:51:26,058 INFO  [stdout] (default task-4) Found unsupported keytype (1) for HTTP/server.xxx.cz@xxx.CZ
 2016-03-29 13:51:26,058 INFO  [stdout] (default task-4) >>> KdcAccessibility: reset
 2016-03-29 13:51:26,058 INFO  [stdout] (default task-4) Looking for keys for: HTTP/server.xxx.cz@XXX.CZ
 2016-03-29 13:51:26,058 INFO  [stdout] (default task-4) Added key: 17version: 4
 2016-03-29 13:51:26,058 INFO  [stdout] (default task-4) Added key: 18version: 4
 2016-03-29 13:51:26,058 INFO  [stdout] (default task-4) Added key: 23version: 4
 2016-03-29 13:51:26,058 INFO  [stdout] (default task-4) Found unsupported keytype (3) for HTTP/server.xxx.cz@XXX.CZ
 2016-03-29 13:51:26,058 INFO  [stdout] (default task-4) Found unsupported keytype (1) for HTTP/server.xxx.cz@XXX.CZ
 2016-03-29 13:51:26,058 INFO  [stdout] (default task-4) default etypes for default_tkt_enctypes: 23 18 17 16.
 2016-03-29 13:51:26,058 INFO  [stdout] (default task-4) >>> KrbAsReq creating message
 2016-03-29 13:51:26,073 INFO  [stdout] (default task-4) >>> KrbKdcReq send: kdc=adsrv.xxx.cz UDP:88, timeout=30000, number of retries =3, #bytes=145
 2016-03-29 13:51:26,073 INFO  [stdout] (default task-4) >>> KDCCommunication: kdc=adsrv.xxx.cz UDP:88, timeout=30000,Attempt =1, #bytes=145
 2016-03-29 13:51:26,073 INFO  [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=182
 2016-03-29 13:51:26,073 INFO  [stdout] (default task-4) >>>Pre-Authentication Data:
 2016-03-29 13:51:26,073 INFO  [stdout] (default task-4)     PA-DATA type = 19
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4)     PA-ETYPE-INFO2 etype = 18, salt = XXX.CZHTTPserver.xxx.cz, s2kparams = null
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4)     PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4) 
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4) >>>Pre-Authentication Data:
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4)     PA-DATA type = 2
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4)     PA-ENC-TIMESTAMP
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4) >>>Pre-Authentication Data:
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4)     PA-DATA type = 16
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4) 
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4) >>>Pre-Authentication Data:
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4)     PA-DATA type = 15
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4) 
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4) >>> KdcAccessibility: remove adsrv.xxx.cz
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4) >>> KDCRep: init() encoding tag is 126 req type is 11
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4) >>>KRBError:
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4)     sTime is Tue Mar 29 13:51:26 CEST 2016 1459252286000
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4)     suSec is 834289
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4)     error code is 25
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4)     error Message is Additional pre-authentication required
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4)     sname is krbtgt/XXX.CZ@XXX.CZ
 2016-03-29 13:51:26,089 INFO  [stdout] (default task-4)     eData provided.
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4)     msgType is 30
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4) >>>Pre-Authentication Data:
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4)     PA-DATA type = 19
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4)     PA-ETYPE-INFO2 etype = 18, salt = XXX.CZHTTPserver.xxx.cz, s2kparams = null
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4)     PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4) 
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4) >>>Pre-Authentication Data:
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4)     PA-DATA type = 2
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4)     PA-ENC-TIMESTAMP
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4) >>>Pre-Authentication Data:
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4)     PA-DATA type = 16
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4) 
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4) >>>Pre-Authentication Data:
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4)     PA-DATA type = 15
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4) 
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4) KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4) default etypes for default_tkt_enctypes: 23 18 17 16.
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4) Looking for keys for: HTTP/server.xxx.cz@XXX.CZ
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4) Added key: 17version: 4
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4) Added key: 18version: 4
 2016-03-29 13:51:26,105 INFO  [stdout] (default task-4) Added key: 23version: 4
 2016-03-29 13:51:26,120 INFO  [stdout] (default task-4) Found unsupported keytype (3) for HTTP/server.xxx.cz@XXX.CZ
 2016-03-29 13:51:26,120 INFO  [stdout] (default task-4) Found unsupported keytype (1) for HTTP/server.xxx.cz@XXX.CZ
 2016-03-29 13:51:26,120 INFO  [stdout] (default task-4) Looking for keys for: HTTP/server.xxx.cz@XXX.CZ
 2016-03-29 13:51:26,120 INFO  [stdout] (default task-4) Added key: 17version: 4
 2016-03-29 13:51:26,120 INFO  [stdout] (default task-4) Added key: 18version: 4
 2016-03-29 13:51:26,120 INFO  [stdout] (default task-4) Added key: 23version: 4
 2016-03-29 13:51:26,120 INFO  [stdout] (default task-4) Found unsupported keytype (3) for HTTP/server.xxx.cz@XXX.CZ
 2016-03-29 13:51:26,120 INFO  [stdout] (default task-4) Found unsupported keytype (1) for HTTP/server.xxx.cz@XXX.CZ
 2016-03-29 13:51:26,120 INFO  [stdout] (default task-4) default etypes for default_tkt_enctypes: 23 18 17 16.
 2016-03-29 13:51:26,120 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
 2016-03-29 13:51:26,120 INFO  [stdout] (default task-4) >>> KrbAsReq creating message
 2016-03-29 13:51:26,120 INFO  [stdout] (default task-4) >>> KrbKdcReq send: kdc=adsrv.xxx.cz UDP:88, timeout=30000, number of retries =3, #bytes=232
 2016-03-29 13:51:26,120 INFO  [stdout] (default task-4) >>> KDCCommunication: kdc=adsrv.xxx.cz UDP:88, timeout=30000,Attempt =1, #bytes=232
 2016-03-29 13:51:26,136 INFO  [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=84
 2016-03-29 13:51:26,136 INFO  [stdout] (default task-4) >>> KrbKdcReq send: kdc=adsrv.xxx.cz TCP:88, timeout=30000, number of retries =3, #bytes=232
 2016-03-29 13:51:26,136 INFO  [stdout] (default task-4) >>> KDCCommunication: kdc=adsrv.xxx.cz TCP:88, timeout=30000,Attempt =1, #bytes=232
 2016-03-29 13:51:26,151 INFO  [stdout] (default task-4) >>>DEBUG: TCPClient reading 1478 bytes
 2016-03-29 13:51:26,151 INFO  [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=1478
 2016-03-29 13:51:26,151 INFO  [stdout] (default task-4) >>> KdcAccessibility: remove adsrv.xxx.cz
 2016-03-29 13:51:26,151 INFO  [stdout] (default task-4) Looking for keys for: HTTP/server.xxx.cz@XXX.CZ
 2016-03-29 13:51:26,151 INFO  [stdout] (default task-4) Added key: 17version: 4
 2016-03-29 13:51:26,151 INFO  [stdout] (default task-4) Added key: 18version: 4
 2016-03-29 13:51:26,151 INFO  [stdout] (default task-4) Added key: 23version: 4
 2016-03-29 13:51:26,151 INFO  [stdout] (default task-4) Found unsupported keytype (3) for HTTP/server.xxx.cz@XXX.CZ
 2016-03-29 13:51:26,151 INFO  [stdout] (default task-4) Found unsupported keytype (1) for HTTP/server.xxx.cz@XXX.CZ
 2016-03-29 13:51:26,151 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
 2016-03-29 13:51:26,151 INFO  [stdout] (default task-4) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/server.xxx.cz
 2016-03-29 13:51:26,151 INFO  [stdout] (default task-4) principal is HTTP/server.xxx.cz@XXX.CZ
 2016-03-29 13:51:26,151 INFO  [stdout] (default task-4) Will use keytab
 2016-03-29 13:51:26,151 INFO  [stdout] (default task-4) Commit Succeeded 
 2016-03-29 13:51:26,167 INFO  [stdout] (default task-4) 
 2016-03-29 13:51:26,167 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Subject = Subject:
    Principal: HTTP/server.xxx.cz@XXX.CZ
    Private Credential: Ticket (hex) = 
 0000: 61 82 04 50 30 82 04 4C   A0 03 02 01 05 A1 08 1B  a..P0..L........
 0010: 06 41 4E 53 2E 43 5A A2   1B 30 19 A0 03 02 01 02  .XXX.CZ..0......
 0020: A1 12 30 10 1B 06 6B 72   62 74 67 74 1B 06 41 4E  ..0...krbtgt..AN
 0030: 53 2E 43 5A A3 82 04 1C   30 82 04 18 A0 03 02 01  S.CZ....0.......
 0040: 12 A1 03 02 01 03 A2 82   04 0A 04 82 04 06 F6 70  ...............p
 0050: 6C 89 66 60 B0 8D 98 60   81 3A 13 49 C0 C8 92 96  l.f`...`.:.I....
 0060: BE 05 0D 59 F1 98 2C CA   AD 7D C2 0E 89 17 1F 36  ...Y..,........6
 0070: 55 0B D0 BE 74 E1 45 E9   78 E5 A0 EF A3 0B 7E AA  U...t.E.x.......
 0080: F7 8D 47 35 EA BE 1F 52   0D 05 77 05 CA 19 FE 4E  ..G5...R..w....N
 0090: D2 FE 46 DD 70 79 DC 40   D4 AE 70 25 BA BA 48 11  ..F.py.@..p%..H.
 00A0: EB 1E 5C 4E F0 73 33 D2   98 47 F8 17 F1 0E 9C D2  ..\N.s3..G......
 00B0: 23 BD B8 7B 69 C5 FF 43   1E 13 CB 8F 96 C7 3F D1  #...i..C......?.
 00C0: 24 4A 5E E0 69 70 2D E3   D0 45 3B 09 0C 4B CA FD  $J^.ip-..E;..K..
 00D0: 08 97 20 BC BB 71 58 B0   5A 00 D2 C4 7D 3A 0F 26  .. ..qX.Z....:.&
 00E0: 56 B3 6C D3 FF FC 6C 4E   51 1D B9 DF BE 02 D0 7B  V.l...lNQ.......
 00F0: E0 0C B0 21 AA 54 71 07   63 6A 6D 65 34 08 4F 9F  ...!.Tq.cjme4.O.
 0100: 22 7C 37 70 CF 40 C5 77   56 10 C8 C2 B4 5B 5D BB  ".7p.@.wV....[].
 0110: FA C0 51 05 E8 14 04 AE   52 8D 80 AA 31 66 6E 7F  ..Q.....R...1fn.
 0120: 28 3E 49 35 9E A4 5A ED   21 0A FE D9 B1 96 15 A6  (>I5..Z.!.......
 0130: 51 0A A6 AA BB 1D 22 B9   FC 2D 87 65 42 FB 5E 17  Q....."..-.eB.^.
 0140: 94 32 2F BA 94 06 7C 3A   9E 56 73 52 59 FE F1 3C  .2/....:.VsRY..<
 0150: D0 19 5F B3 B3 E3 0D F4   0C 51 1A E2 CF 19 50 61  .._......Q....Pa
 0160: BA 55 6A 57 F8 9F 8F F7   43 D7 2B B8 62 22 6E F4  .UjW....C.+.b"n.
 0170: B2 A8 CC 09 A9 3B A4 C2   5D D8 75 EA 99 7E 20 93  .....;..].u... .
 0180: 33 ED 8B BF 40 CC 82 49   69 F5 05 3D 30 1A 5D D4  3...@..Ii..=0.].
 0190: CD E2 A3 DE 36 77 94 63   D2 B4 DE 44 AA 35 BD C9  ....6w.c...D.5..
 01A0: 5D 57 4D 10 E6 51 A7 D9   A5 A6 EB 9A A1 2D 88 2C  ]WM..Q.......-.,
 01B0: 27 F1 C8 8E E9 1B 14 90   88 E7 4E 70 3C 53 EC E7  '.........Np<S..
 01C0: 29 84 DA 1C 7E 33 A2 99   9D C5 85 3B 63 67 CE 84  )....3.....;cg..
 01D0: 73 41 75 67 9D 6E BC E9   80 0B 1C B4 56 0C AB 92  sAug.n......V...
 01E0: 13 79 D2 4D D9 B8 15 91   51 48 ED 7D 30 8B 16 ED  .y.M....QH..0...
 01F0: C4 AB CE 0D D7 F6 0D 41   7F BA 99 E1 9E 51 8D 82  .......A.....Q..
 0200: 2D 2D B9 1B C8 92 71 22   28 43 B2 AD FC 67 A0 10  --....q"(C...g..
 0210: 3E 85 61 52 48 C1 2C A7   CC 49 70 7B 1E 32 27 22  >.aRH.,..Ip..2'"
 0220: 30 04 DD 4E 6E 45 F3 0B   0F E2 F6 EB 8E CF 0D B7  0..NnE..........
 0230: 32 F4 2D 47 E6 B3 13 97   E3 C2 D0 53 84 ED FC 7C  2.-G.......S....
 0240: 40 60 52 AC FC 0C C8 C9   D7 D3 C6 C6 F0 33 34 1B  @`R..........34.
 0250: 8E 6E 12 3B AB 30 34 0C   99 29 11 67 A2 01 75 BB  .n.;.04..).g..u.
 0260: 8F C2 8F A9 47 71 63 EF   58 17 95 46 57 69 8C 4F  ....Gqc.X..FWi.O
 0270: 2B 47 50 2E D9 C2 B6 3C   2A FF BD 0E DF FB 72 DF  +GP....<*.....r.
 0280: 76 58 9A DF 8A 94 DC 7C   ED 99 BB D5 DF 27 88 F8  vX...........'..
 0290: 65 A2 5F 16 C0 A2 43 FA   F3 E7 88 DF 88 62 20 F8  e._...C......b .
 02A0: 4A 6C C3 8D 36 3F 82 F4   0C 37 6B BB C1 89 20 12  Jl..6?...7k... .
 02B0: 36 9E E2 48 D0 BE 30 09   36 1B 7E 4C 8F 90 D8 C2  6..H..0.6..L....
 02C0: 6F 64 E8 DE D4 BE B9 B4   CD 53 F2 B1 29 AF 19 0B  od.......S..)...
 02D0: 09 93 20 6D CE 92 7D EE   DB 38 19 46 04 C1 E4 CE  .. m.....8.F....
 02E0: DC 05 60 DF 48 30 89 41   3D CA 2A 91 02 5E C5 FA  ..`.H0.A=.*..^..
 02F0: B0 07 25 E1 06 92 4F CD   61 B9 EB 79 2B E3 31 70  ..%...O.a..y+.1p
 0300: CF 9D 30 35 61 E0 ED 17   88 08 87 67 CB E8 B3 05  ..05a......g....
 0310: E6 80 2C 2E D7 B8 4B 31   06 64 E5 2D 29 98 64 84  ..,...K1.d.-).d.
 0320: B2 97 59 D5 7E B4 38 7D   C0 87 B6 79 3A 8E AD 28  ..Y...8....y:..(
 0330: E3 01 83 DE E6 9C E2 A6   A2 42 88 2F 13 E6 DF 4A  .........B./...J
 0340: D4 1A 2D 08 B8 87 7C B3   EF D6 CD 26 CF F3 E9 7C  ..-........&....
 0350: 97 39 43 6C 38 BC C4 02   53 27 D9 5A 8A BA 8A DF  .9Cl8...S'.Z....
 0360: 73 48 19 04 6E 7F B7 6D   5D B5 ED A3 0A 1A 2A B8  sH..n..m].....*.
 0370: F1 22 A8 AF 82 08 D1 5D   74 04 F8 87 81 55 39 8B  .".....]t....U9.
 0380: 40 BF C3 26 4F 5C 56 05   C8 9F 2A 3A F2 3D A7 2B  @..&O\V...*:.=.+
 0390: 48 F3 0A 60 AD 8B 53 A0   8A 86 6F 54 54 1D 84 67  H..`..S...oTT..g
 03A0: 23 B4 0F 59 A4 73 94 9F   FE 43 63 DF 68 7A F1 8D  #..Y.s...Cc.hz..
 03B0: B4 B2 C4 CC 42 F0 23 3E   50 5F 64 C1 AD 1C EC 2A  ....B.#>P_d....*
 03C0: 2D F2 1F 52 F1 81 33 D7   B1 85 D8 98 A7 38 22 7F  -..R..3......8".
 03D0: 42 00 7E 1F 8C 8D 32 00   B9 F9 61 F2 86 59 4C 69  B.....2...a..YLi
 03E0: E0 19 AC 5D 75 E1 98 A6   83 A2 5F 4E C2 6D D9 69  ...]u....._N.m.i
 03F0: EC 3B 5D E5 A3 10 F5 24   95 B0 EC E2 FF FC CF 54  .;]....$.......T
 0400: BC 2B 43 AD 4A D6 77 A2   1B 54 AE 52 AC 5A E2 75  .+C.J.w..T.R.Z.u
 0410: 59 38 C7 64 15 0C CE 18   50 1D 24 9C FE FB 3C 4A  Y8.d....P.$...<J
 0420: 33 31 4B C6 65 40 F7 8B   4A 35 75 67 1B DD 1F 60  31K.e@..J5ug...`
 0430: 10 CF C2 AB 05 8B AD 43   2A 95 FE AA 94 80 98 38  .......C*......8
 0440: D8 3C 6A 15 21 40 34 E8   0B 42 73 5A 9A B4 4F D4  .<j.!@4..BsZ..O.
 0450: 17 57 30 D1                                        .W0.

 Client Principal = HTTP/server.xxx.cz@XXX.CZ
 Server Principal = krbtgt/XXX.CZ@XXX.CZ
 Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
 0000: 10 A6 39 17 84 65 5E 8C   5B 39 22 E4 2A 9E 95 97  ..9..e^.[9".*...


 Forwardable Ticket false
 Forwarded Ticket false
 Proxiable Ticket false
 Proxy Ticket false
 Postdated Ticket false
 Renewable Ticket false
 Initial Ticket false
 Auth Time = Tue Mar 29 13:51:26 CEST 2016
 Start Time = Tue Mar 29 13:51:26 CEST 2016
 End Time = Tue Mar 29 23:51:26 CEST 2016
 Renew Till = null
 Client Addresses  Null 
    Private Credential: Default keytab for HTTP/server.xxx.cz@XXX.CZ

 2016-03-29 13:51:26,198 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Logged in 'host' LoginContext
 2016-03-29 13:51:26,198 INFO  [stdout] (default task-4)        [Krb5LoginModule]: Entering logout
 2016-03-29 13:51:26,198 INFO  [stdout] (default task-4)        [Krb5LoginModule]: logged out Subject
 2016-03-29 13:51:26,198 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) NegotiationContext.setContinuationRequired(true)
 2016-03-29 13:51:26,214 DEBUG [org.jboss.security] (default task-4) PBOX00206: Login failure: javax.security.auth.login.LoginException: Continuation Required.
    at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:192)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
    at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
    at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96)
    at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:99)
    at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
    at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
    at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
    at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
    at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
    at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
    at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
    at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
    at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

 2016-03-29 13:51:26,625 TRACE [org.jboss.security] (default task-3) PBOX00201: End isValid, result = false
 2016-03-29 13:51:26,625 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (default task-3) clear 35ec8348
 2016-03-29 13:51:26,641 TRACE [org.jboss.security] (default task-3) PBOX00354: Setting security roles ThreadLocal: null

2 个答案:

答案 0 :(得分:2)

您点击https://issues.jboss.org/browse/JBEAP-3709,一旦https://github.com/wildfly/wildfly/pull/8816合并,将在wildfly中进行修复。

解决方案是将org.jboss.security.negotiation升级到版本3.0.2.Final,您可以通过在目录模块/ system / layers / base / org / jboss中合并或更改上述拉取请求来重建wildfly来实现/安全/谈判/主

答案 1 :(得分:0)

我确认使用最新的jboss-negotiation模块(版本3.0.3)和WildFly 10.0.0可以使用Kerberos身份验证。 &#34;继续要求&#34;异常仍然被抛出,但它在日志中被屏蔽(除非日志类别org.jboss.security设置为DEBUG)。我使用WildFly 10.1.0进行了一些测试,并确认Kerberos身份验证在那里开箱即用(它随jboss-negotiation模块3.0.2一起提供),但最好是修补jboss-negotiation 3.0。 3如果您要使用LDAP进行角色映射(因为该版本中的LDAP错误修复),也是如此。