我遇到SPNEGO TOMCAT 7配置问题:我按照本指南进行设置:
这是我的krb5.conf
[libdefaults]
default_realm=lctr.corp
default_keytab_name="C:/tomcat/conf/tomcat.keytab"
default_tkt_enctypes=aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tgs_enctypes=aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
forwardable=true
[realms]
LCTR.CORP={
kdc=AQPINF02.lctr.corp:88
}
[domain_realm]
lctr.corp=LCTR.CORP
.lctr.corp=LCTR.CORP
我的jaas.conf
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule
required
doNotPrompt=true
principal="HTTP/TTS04.lctr.corp@LCTR.CORP"
keyTab="C:/tomcat/conf/tomcat.keytab"
storeKey=true
useKeyTab=true
useTicketCache=true
isInitiator=true
refreshKrb5Config=true
moduleBanner=true
storePass=true
debug=true
moduleBanner=true;
};
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule
required
doNotPrompt=true
principal="HTTP/TTS04.lctr.corp@LCTR.CORP"
keyTab="C:/tomcat/conf/tomcat.keytab"
storeKey=true
useKeyTab=true
useTicketCache=true
isInitiator=true
refreshKrb5Config=true
moduleBanner=true
storePass=true
debug=true
debug=true
moduleBanner=true;
};
现在在Tomcat:
的web.xml
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
<security-role>
<description>Users</description>
<role-name>Users</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>User Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Users</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
server.xml中
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://AQPINF02.lctr.corp:3268"
userSubtree="true"
userBase="DC=lctr,DC=corp"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
roleBase="DC=lctr,DC=corp"
roleName="cn"
roleSearch="(member={0})"
roleSubtree="true"
roleNested="true"/>
<Host name="localhost" appBase="webapps">
<Context docBase="ROOT.war" path="">
<Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator"
storeDelegatedCredential="true" />
</Context>
</Host>
</Engine>
我在AD服务器中设置SPN,首先我的用户是“devl-ast”,配置后变为“HTTP / TTS04.lctr.corp”(我启动tomcat 7时使用此用户名登录)
当我启动tomcat并尝试访问“tts04.lctr.corp:8095”时出现登录窗口(我按照我说的HTTP / TTS04.lctr.corp和密码),但这里出现异常是日志< / p>
SEVERE: Exception performing authentication
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580 ]; remaining name 'DC=lctr,DC=corp'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
at javax.naming.directory.InitialDirContext.search(Unknown Source)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1709)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1545)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1473)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2379)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2295)
at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:581)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthenticator.java:352)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthenticator.java:337)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:251)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:577)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:452)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)
ene 20, 2017 10:02:45 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Failed authenticate() test
我的配置错误,请帮助我。