IBM Websphere Application Server 8.5中的Spring安全性Kerberos身份验证失败

时间:2016-08-21 09:43:33

标签: spring-security websphere kerberos spring-security-kerberos

我正在尝试使用spring security实现单点登录。该应用程序托管在IBM Websphere Application Server 8.5(IBM JDK 7)中。

我已经通过了http://docs.spring.io/autorepo/docs/spring-security-kerberos/1.0.2.BUILD-SNAPSHOT/reference/htmlsingle/

我的安全配置文件如下所示:

<sec:http entry-point-ref="spnegoEntryPoint" use-expressions="true">
    <sec:intercept-url pattern="/contents/**" access="permitAll"/>
    <sec:intercept-url pattern="/favicon.ico" access="permitAll"/>
    <sec:intercept-url pattern="/WEB-INF/tags/**" access="permitAll"/>
    <sec:intercept-url pattern="/systemuser/login**" access="permitAll"/>
    <sec:intercept-url pattern="/systemuser/authentication/failure" access="permitAll"/>
    <sec:intercept-url pattern="/systemuser/logout**" access="permitAll"/>
    <sec:intercept-url pattern="/systemuser/405" access="permitAll"/>
    <sec:intercept-url pattern="/systemuser/noscript" access="permitAll"/>
    <sec:intercept-url pattern="/systemuser/**" access="isAuthenticated()"/>
    <sec:form-login login-page="/systemuser/login" authentication-failure-url="/systemuser/login?error=true"
                    authentication-success-handler-ref="systemUserAuthenticationSuccessHandler"/>
    <sec:logout logout-url="/systemuser/logout" success-handler-ref="systemUserLogoutSuccessHandler"/>
    <sec:access-denied-handler error-page="/403"/>
    <!-- enable csrf protection -->
    <sec:csrf/>
    <sec:headers/>
    <sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
                       before="BASIC_AUTH_FILTER"/>
</sec:http>

<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="kerberosAuthenticationProvider"/>
    <sec:authentication-provider ref="kerberosServiceAuthenticationProvider"/>
</sec:authentication-manager>

<bean id="kerberosAuthenticationProvider"
      class="org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider">
    <property name="userDetailsService" ref="systemUserDetailsService"/>
    <property name="kerberosClient">
        <bean class="com.fdiapp.authentication.systemuser.service.IbmJaasKerberosClient">
            <property name="debug" value="true"/>
        </bean>
    </property>
</bean>

<bean id="spnegoEntryPoint"
      class="org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint">
    <constructor-arg value="/systemuser/login"/>
</bean>

<bean id="spnegoAuthenticationProcessingFilter"
      class="org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="successHandler" ref="systemUserAuthenticationSuccessHandler"/>
    <property name="failureHandler" ref="systemUserAuthenticationFailureHandler"/>
</bean>

<bean id="kerberosServiceAuthenticationProvider"
      class="org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider">
    <property name="ticketValidator">
        <bean
                class="com.fdiapp.authentication.systemuser.service.IbmJaasKerberosTicketValidator">
            <property name="servicePrincipal" value="HTTP/MYDOMAIN"/>
            <property name="keyTabLocation" value="/WEB-INF/keyfile/hbdap-hkkdd001.keytab"/>
            <property name="debug" value="true"/>
        </bean>
    </property>
    <property name="userDetailsService" ref="systemUserDetailsService"/>
</bean>

<bean id="systemUserDetailsService"
      class="com.fdiapp.authentication.systemuser.service.SystemUserDetailsService"/>
<bean id="systemUserAuthenticationSuccessHandler"
      class="com.fdiapp.authentication.handler.SystemUserAuthenticationSuccessHandler"/>

<bean id="systemUserLogoutSuccessHandler"
      class="com.fdiapp.authentication.handler.SystemUserLogoutSuccessHandler"/>
<bean id="systemUserAuthenticationFailureHandler"
      class="com.fdiapp.authentication.handler.SystemUserAuthenticationFailureHandler"/>

Kerberos客户端:

public class IbmJaasKerberosClient implements KerberosClient {
private boolean debug = true;
private static final Log LOG = LogFactory.getLog(IbmJaasKerberosClient.class);

@Override
public String login(String username, String password) {
    LOG.debug("Trying to authenticate " + username + " with Kerberos");
    String validatedUsername;

    try {
        LoginContext loginContext = new LoginContext("", null, new KerberosClientCallbackHandler(username, password),
                new LoginConfig(this.debug));
        loginContext.login();
        if (LOG.isDebugEnabled()) {
            LOG.debug("Kerberos authenticated user: "+loginContext.getSubject());
        }
        validatedUsername = loginContext.getSubject().getPrincipals().iterator().next().toString();
        loginContext.logout();
    } catch (LoginException e) {
        if(LOG.isDebugEnabled()){
            LOG.error(e.getMessage());
        }
        throw new BadCredentialsException("Kerberos authentication failed", e);
    }
    return validatedUsername;
}

public void setDebug(boolean debug) {
    this.debug = debug;
}

private static class LoginConfig extends Configuration {
    private boolean debug;

    public LoginConfig(boolean debug) {
        super();
        this.debug = debug;
    }

    @Override
    public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
        HashMap<String, String> options = new HashMap<String, String>();
        options.put("credsType", "acceptor");
        if (debug) {
            options.put("debug", "true");
        }

        return new AppConfigurationEntry[] { new AppConfigurationEntry("com.ibm.security.auth.module.Krb5LoginModule",
                AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options), };
    }

}

private static class KerberosClientCallbackHandler implements CallbackHandler {
    private String username;
    private String password;

    public KerberosClientCallbackHandler(String username, String password) {
        this.username = username;
        this.password = password;
    }

    @Override
    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        for (Callback callback : callbacks) {
            if (callback instanceof NameCallback) {
                NameCallback ncb = (NameCallback) callback;
                ncb.setName(username);
            } else if (callback instanceof PasswordCallback) {
                PasswordCallback pwcb = (PasswordCallback) callback;
                pwcb.setPassword(password.toCharArray());
            } else {
                throw new UnsupportedCallbackException(callback, "We got a " + callback.getClass().getCanonicalName()
                        + ", but only NameCallback and PasswordCallback is supported");
            }
        }

    }

}

}

Kereros Ticket Validator:

public class IbmJaasKerberosTicketValidator implements KerberosTicketValidator, InitializingBean {
private String servicePrincipal;
private Resource keyTabLocation;
private Subject serviceSubject;
private boolean holdOnToGSSContext;
private boolean debug = true;
private static final Log LOG = LogFactory.getLog(IbmJaasKerberosTicketValidator.class);

@Override
public KerberosTicketValidation validateTicket(byte[] token) {
    try {
        return Subject.doAs(this.serviceSubject, new KerberosValidateAction(token));
    }
    catch (PrivilegedActionException e) {
        throw new BadCredentialsException("Kerberos validation not successful", e);
    }
}

@Override
public void afterPropertiesSet() throws Exception {
    Assert.notNull(this.servicePrincipal, "servicePrincipal must be specified");
    Assert.notNull(this.keyTabLocation, "keyTab must be specified");
    if (keyTabLocation instanceof ClassPathResource) {
        LOG.warn("Your keytab is in the classpath. This file needs special protection and shouldn't be in the classpath. JAAS may also not be able to load this file from classpath.");
    }
    String keyTabLocationAsString = this.keyTabLocation.getURL().toExternalForm();
    // We need to remove the file prefix (if there is one), as it is not supported in Java 7 anymore.
    // As Java 6 accepts it with and without the prefix, we don't need to check for Java 7
    if (keyTabLocationAsString.startsWith("file:"))
    {
        keyTabLocationAsString = keyTabLocationAsString.substring(5);
    }
    LoginConfig loginConfig = new LoginConfig(keyTabLocationAsString, this.servicePrincipal,
            this.debug);
    Set<Principal> princ = new HashSet<Principal>(1);
    princ.add(new KerberosPrincipal(this.servicePrincipal));
    Subject sub = new Subject(false, princ, new HashSet<Object>(), new HashSet<Object>());
    LoginContext lc = new LoginContext("", sub, null, loginConfig);
    lc.login();
    this.serviceSubject = lc.getSubject();
}

/**
 * The service principal of the application.
 * For web apps this is <code>HTTP/full-qualified-domain-name@DOMAIN</code>.
 * The keytab must contain the key for this principal.
 *
 * @param servicePrincipal service principal to use
 * @see #setKeyTabLocation(Resource)
 */
public void setServicePrincipal(String servicePrincipal) {
    this.servicePrincipal = servicePrincipal;
}

/**
 * <p>The location of the keytab. You can use the normale Spring Resource
 * prefixes like <code>file:</code> or <code>classpath:</code>, but as the
 * file is later on read by JAAS, we cannot guarantee that <code>classpath</code>
 * works in every environment, esp. not in Java EE application servers. You
 * should use <code>file:</code> there.
 *
 * This file also needs special protection, which is another reason to
 * not include it in the classpath but rather use <code>file:/etc/http.keytab</code>
 * for example.
 *
 * @param keyTabLocation The location where the keytab resides
 */
public void setKeyTabLocation(Resource keyTabLocation) {
    this.keyTabLocation = keyTabLocation;
}

/**
 * Enables the debug mode of the JAAS Kerberos login module.
 *
 * @param debug default is false
 */
public void setDebug(boolean debug) {
    this.debug = debug;
}

/**
 * Determines whether to hold on to the {@link GSSContext GSS security context} or
 * otherwise {@link GSSContext#dispose() dispose} of it immediately (the default behaviour).
 * <p>Holding on to the GSS context allows decrypt and encrypt operations for subsequent
 * interactions with the principal.
 *
 * @param holdOnToGSSContext true if should hold on to context
 */
public void setHoldOnToGSSContext(boolean holdOnToGSSContext) {
    this.holdOnToGSSContext = holdOnToGSSContext;
}

/**
 * This class is needed, because the validation must run with previously generated JAAS subject
 * which belongs to the service principal and was loaded out of the keytab during startup.
 */
private class KerberosValidateAction implements PrivilegedExceptionAction<KerberosTicketValidation> {
    byte[] kerberosTicket;

    public KerberosValidateAction(byte[] kerberosTicket) {
        this.kerberosTicket = kerberosTicket;
    }

    @Override
    public KerberosTicketValidation run() throws Exception {
        byte[] responseToken = new byte[0];
        GSSName gssName = null;
        GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null);
        boolean first = true;
        while (!context.isEstablished()) {
            if (first) {
                kerberosTicket = tweakJdkRegression(kerberosTicket);
            }
            responseToken = context.acceptSecContext(kerberosTicket, 0, kerberosTicket.length);
            gssName = context.getSrcName();
            if (gssName == null) {
                throw new BadCredentialsException("GSSContext name of the context initiator is null");
            }
            first = false;
        }
        if (!holdOnToGSSContext) {
            context.dispose();
        }
        return new KerberosTicketValidation(gssName.toString(), servicePrincipal, responseToken, context);
    }
}

/**
 * Normally you need a JAAS config file in order to use the JAAS Kerberos Login Module,
 * with this class it is not needed and you can have different configurations in one JVM.
 */
private static class LoginConfig extends Configuration {
    private String keyTabLocation;
    private String servicePrincipalName;
    private boolean debug;

    public LoginConfig(String keyTabLocation, String servicePrincipalName, boolean debug) {
        this.keyTabLocation = keyTabLocation;
        this.servicePrincipalName = servicePrincipalName;
        this.debug = debug;
    }

    @Override
    public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
        HashMap<String, String> options = new HashMap<String, String>();
        options.put("useKeytab", this.keyTabLocation);
        options.put("principal", this.servicePrincipalName);
        options.put("credsType", "acceptor");
        if (this.debug) {
            options.put("debug", "true");
        }  

        return new AppConfigurationEntry[] { new AppConfigurationEntry("com.ibm.security.auth.module.Krb5LoginModule",
                AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options), };
    }

}

private static byte[] tweakJdkRegression(byte[] token) throws GSSException {

    if (token == null || token.length < 48) {
        return token;
    }

    int[] toCheck = new int[] { 0x06, 0x09, 0x2A, 0x86, 0x48, 0x82, 0xF7, 0x12, 0x01, 0x02, 0x02, 0x06, 0x09, 0x2A,
            0x86, 0x48, 0x86, 0xF7, 0x12, 0x01, 0x02, 0x02 };

    for (int i = 0; i < 22; i++) {
        if ((byte) toCheck[i] != token[i + 24]) {
            return token;
        }
    }

    byte[] nt = new byte[token.length];
    System.arraycopy(token, 0, nt, 0, 24);
    System.arraycopy(token, 35, nt, 24, 11);
    System.arraycopy(token, 24, nt, 35, 11);
    System.arraycopy(token, 46, nt, 46, token.length - 24 - 11 - 11);
    return nt;
}

}

我收到以下错误消息:

[8/11/16 11:33:59:201 HKT] 000000c4 SpnegoAuthent W org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter doFilter Negotiate Header was invalid: Negotiate YIIH7gYGKwYBBQUCoIIH4jCCB96gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCB6gEggekYIIHoAYJKoZIhvcSAQICAQBuggePMIIHi6ADAgEFoQMCAQ6iBwMFACAAAACjggYjYYIGHzCCBhugAwIBBaESGxBIQkFQLkFEUk9PVC5IU0JDoiMwIaADAgECoRowGBsESFRUUBsQYmRmZGl3ZWIuaGsuaHNiY6OCBdkwggXVoAMCARehAwIBBqKCBccEggXDQGLqPfkN7NB70wA794JtYhl1p8tBNq2T9bF0T0crDWlj8n0H4IEUrncX6cn55JOjSyrmdLKMJxJaBnXiZoWzTUWMZG+iGu1EFw1JAZjpsAN1ahNCffWs9BqS8Gtmf2Ti03HTZhE756NKjtgPD4ZbDxFoNiLmtAZcunoefULV7XksZpBYHD7ZnSemybiMClJrVkXvX/cTD6V0ufNsvqC2GpYgTbhScIzNpY4M2ErZztdoIm7Vl8u9TQ+sb7WfDFaTrt6/+Vhm6CDublHskif7NEUojmtvIAG8A/7wHi65CZAy/6O8X7UkU0elG4geS6IGdR0BpeDz+m3vaI5neiAifFunEJPKtSbBzCl45AVGVtJU+I8Mq0WPUof7QbDBFeIO79f3UPVME6AwAfItT5bA3e1xJIh0GdiRI7wDvt5vILlASEpVh5YAc/YOjNMaxMvnqRphBJydlCxSZ5c77JQPl7liAaWQGijWuCpO6a0OTFzEUTDqKNwQuu2MPOljr4Bknq5AyZ+N4kMzET9dxktpZT8iqQD4DCApiJhMmCrXe+dByhoOs5rHLwLzBFE+dlob6wlSZcweRx/fSJeF8QilAy5/fbm8oX7habqMq13YHh8ipxBmJlDvJZrYbYaK+L6m5EMB/cMZgLNZCYzNdd+zFkR7QcTlpACECO0vn2QPrnV5kibMrU4L3Onp78vHKy+1hJn/7wbaygeTt7zBbxqFV/t3pCluvhZeSW5ziGUkN8r/8fWmPtn9Z9wD43IzQpFKf0hbSIVbSXfsu6DIT9ydjhKX/7UL6En9BNDn9Tbqz2KU5CxH4byAx48FksCZowsSXqjoyEnmdtImE86fEMTqgJSBnJqRsyn5J0IWy2ALxwRpA9IXsDo778ctV9E4lkEAkwxLj6nwtXkUi8VFI5XeLllIX7Bu2kLfYds2K1h3mOxLcv8OEoj/skEmxO6p5Lv2vcKl+gH2tbspxpwD7i7v1cLqlXVGf4aYKPs6j4E6YW5baZ+nNbUxzSOCc6+H7QI7I4xwyNDCEEG0xGiAqrvc3CS7QLfgoSzREayMz+0QAl2FlyT57C5Kh2I41XWpFohGlHmxpSfToiGbhaF37qLbEzBEqv77t1IIHw63nMJZEdTktqdwUN4qgRMMkHinjvhjWTJF6mNDgbHbxNLynX2YG/ebSxlPUEEgf1an0mBKTS8qJc6F+usPajeGYM+pJO4eWQqKmPGHjkDL3+hoDOJ1MP1t+rtWxmbvIBpdOJ5pzXzgV4KvSTFc4SrYBSOWYQl9VddCGKzr0uzGO2RMEnm6lNooRHXdch2zKrr6zED34Wjp1penLw4+n+H3T74Nan4lFz2Ppmq3EXc39dBGhSB0Y45pcLYPXP/ip9npw+MK1bofH0bqCSRq6bzC72Pm1pD5v1LL2rtrhbo58c+w95m12KQ4etPwlhD2Znss+dpcuFCZfnCSG5fT1kVaGBVrjWiFAy93omjld1G2LO7zGmA6CWaVYEmaC3BOHqmHRLr6300z4HT71n7i6DRg4jvwF5InbQq5O2PEuoYIl+uDa8pfErUPjh53KvoEOzVdaW8moLC8PalPt3N7R8oiNXvOW2fc7dGnbFaT5KavkUFcz1zYEXYL+WQB8MsMGJH0iwAk7MLO8e7GA4RCktSnIrA6n67dA0J/vlkcCM8WF/xrYeJgf5CZJMfRdlPVI+7nhdKWJtIPoy5IFjO3mW27PftXAJLIt8JyqCIJZbvvGP8fMgIpPslTFoav+MQ5SLFCwLra5ulEMKu3Lk3w9NETFaBQtmQHwgrc33+Ci9RPKDxvItxq7qx4UxCW287+3O/+ihozwrGBfepncH4m5NTdC9dgd+nvADplXFFoAasL7ffqO+0gABBWR+SSfj7rw2GW8JiDxc8TpeZriVoqzuoelsVxLkfIziIlBPsD89uv/dPmD75RPlDfABRPg2VCV1hV/8TrZzAbV4OkggFNMIIBSaADAgEXooIBQASCATy0A+HrORiz1Q9qaXPtQEQfD9fXQlLQWWFVVIBMHGu0f+goJYpJoLFDkfqTf0+wgyTuspdXaRWeUb3qlnEd3Vf6CCsrUzcuD5DyfFOpmSSGa9nOehaBAIUPcM+U8xWODQ5VZBUbLmUA1LzgwTW8Y/Sd95Tvo8ToGzBESzLquXj5CTgiXGqhlQPgAohuiAULg2C9mPaL+1tvVVlckjwHHxA14esHrfHvG254EmP7GPpmhAqo431oTF2lG5vXszIH6bFNcvw+HQAj9UtIVX59ZRqtIuJiAtjLrCXwHYmo8nZKtd0HWlvIHaviOaDts9DcxLzpekt7JFdt3lFUW0zePRQ3H4Byuvtd0Mpk8z1uwhnyj19xc7vgBaUBSu0M+k6FuMRur2ZKK2wZTjZDLOhlLgStVA+lwWFaVqdCgzTb
                             org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful
at com.fdiapp.authentication.systemuser.service.IbmJaasKerberosTicketValidator.validateTicket(IbmJaasKerberosTicketValidator.java:50)
at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:145)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:85)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)
at org.springframework.web.multipart.support.MultipartFilter.doFilterInternal(MultipartFilter.java:118)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:967)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1107)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:87)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:940)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:200)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:463)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:530)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:316)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:287)
at com.ibm.io.async.AsyncChannelFuture$1.run(AsyncChannelFuture.java:205)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)

引起:java.security.PrivilegedActionException:org.ietf.jgss.GSSException,主要代码:13,次要代码:0     主要字符串:凭据无效     minor string:无法获取机制1.3.6.1.5.5.2的机制凭证     在java.security.AccessController.doPrivileged(AccessController.java:458)     在javax.security.auth.Subject.doAs(Subject.java:572)     atcom.fdiapp.authentication.systemuser.service.IbmJaasKerberosTicketValidator.validateTicket(IbmJaasKerberosTicketValidator.java:47)

有人可以建议我如何使上述配置可行?

或者 如何使用spn和ketab文件从协商头中检索用户,以便我可以进行身份​​验证。

1 个答案:

答案 0 :(得分:0)

也许这可能会有所帮助:

 Oid krb5MechOid    = new Oid("1.2.840.113554.1.2.2");
 Oid spnegoMechOid  = new Oid("1.3.6.1.5.5.2"); 

   System.setProperty("javax.security.auth.useSubjectCredsOnly", "true");
   GSSManager manager = GSSManager.getInstance();
   GSSName gssUserName = manager.createName(userName, GSSName.NT_USER_NAME, krb5MechOid);
   clientGssCreds = manager.createCredential(gssUserName.canonicalize(krb5MechOid), 
                                             GSSCredential.INDEFINITE_LIFETIME, 
                                             krb5MechOid, 
                                             GSSCredential.INITIATE_ONLY);
   clientGssCreds.add (gssUserName,
                       GSSCredential.INDEFINITE_LIFETIME, 
                       GSSCredential.INDEFINITE_LIFETIME, 
                       spnegoMechOid, 
                       GSSCredential.INITIATE_ONLY);

http://www.ibm.com/support/knowledgecenter/en/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/tsec_SPNEGO_token.html