jdbc kerberos oracle身份验证

时间:2017-02-23 12:49:30

标签: java oracle kerberos

使用这个例子,几乎让我的连接工作

http://blogs.nologin.es/rickyepoderi/index.php?/archives/105-Oracle-Driver-and-Kerberos.html

但启用kerberos缓存并调试后,正确获取我的主体名称并且凭据成功,则会出现与故障单相关的错误。

使用okinit(来自oracle 12的oracle kinit)生成票证

Exception in thread "main" java.sql.SQLRecoverableException: Error de E/S: The service in process is not supported. Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - ASN.1 unexpected field number)
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:743)
    at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:666)
    at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)
    at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:566)
    at java.sql.DriverManager.getConnection(DriverManager.java:571)
    at java.sql.DriverManager.getConnection(DriverManager.java:187)
    at JdbcThin.main(JdbcThin.java:39)
Caused by: oracle.net.ns.NetException: The service in process is not supported. Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - ASN.1 unexpected field number)
    at oracle.net.ano.AuthenticationService.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:415)
    at oracle.net.ano.AuthenticationService.e(Unknown Source)
    at oracle.net.ano.Ano.negotiation(Unknown Source)
    at oracle.net.ns.NSProtocol.connect(NSProtocol.java:293)
    at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1452)
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:496)
    ... 6 more
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - ASN.1 unexpected field number)
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:710)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
    ... 14 more
Caused by: KrbException: Generic error (description in e-text) (60) - ASN.1 unexpected field number
    at sun.security.krb5.KrbApRep.(KrbApRep.java:126)
    at sun.security.krb5.KrbApRep.(KrbApRep.java:102)
    at sun.security.krb5.KrbApRep.(KrbApRep.java:75)
    at sun.security.jgss.krb5.AcceptSecContextToken.(AcceptSecContextToken.java:89)
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:696)
    ... 16 more
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.APRep.init(APRep.java:92)
    at sun.security.krb5.internal.APRep.(APRep.java:75)
    at sun.security.krb5.KrbApRep.(KrbApRep.java:116)
    ... 20 more

我正在使用java 7,但使用另一个没有问题。有没有办法用jvm正确读取票证(请参阅jdk的kinit也不要创建正确的票证)

1 个答案:

答案 0 :(得分:0)

我正在分享这段代码,这段代码一直在为我工作。您是否设置了kerberos缓存文件的位置?

OracleDriver driver = new OracleDriver();
Properties prop = new Properties();

prop.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_SERVICES,
  "("+AnoServices.AUTHENTICATION_KERBEROS5+")");  
prop.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_KRB5_MUTUAL,
  "true");    

/* If you get the following error [Unable to obtain Principal Name for 
 * authentication] although you know that you have the right TGT in your
 * credential cache, then it's probably because the JVM can't locate your
 * cache.
 * For example, here my credential cache is
 *        C:\Documents and Settings\Jean de Lavarene\krb5cc
 * because when I run klist I get the following:
 *   > ./klist
 *   Ticket cache: FILE:C:\Documents and Settings\Jean de Lavarene\krb5cc
 *   Default principal: client@US.ORACLE.COM
 *
 *   Valid starting     Expires            Service principal
 *   06/21/16 13:23:02  06/21/16 23:23:02  krbtgt/US.ORACLE.COM@US.ORACLE.COM
 *   renew until 06/21/16 13:23:02
 * This isn't the default location, so I need to provide the location. Note
 * that the default location on windows is "C:\Documents and Settings\krb5cc_username".
 */
prop.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_KRB5_CC_NAME,
  "C:\\Documents and Settings\\Jean de Lavarene\\krb5cc");
Connection conn  = driver.connect(url,prop);
String auth = ((OracleConnection)conn).getAuthenticationAdaptorName();
System.out.println("Authentication adaptor="+auth);
相关问题
最新问题