我有一个带有keytab文件的spring security kerberos设置。文件上传操作完成后,我收到连接重置错误。仅当文件大小大于2MB时才会发生。当关闭spring安全性时,我可以上传大于2MB的文件。
我对基于SPNEGO的认证的理解如下。
典型的请求将在协商重定向后在标头中发送kerberos身份验证令牌。 这些失败的请求在标头中没有令牌,这意味着协商阶段没有开始。
是否需要为文件上传设置或删除任何其他标头? 2mb限制在哪里?我看到Jboss有一个max-post参数,但是当删除安全性时上传工作正常。
环境:Jboss EAP 6.4.16(10台服务器无状态),JVM 1.7,RHEL 6.前面没有Web服务器。
请求失败的标题 -
Provisional headers are shown
Accept:application/json, text/javascript, */*; q=0.01
Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryeb4P029q02XzceLA
Origin:xxxxx
Referer:http://xxxxxxxxxxxxxxx.html?xxxxxxxxxxxx
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/43.0.2357.130 Safari/537.36
X-Requested-With:XMLHttpRequest
------WebKitFormBoundaryeb4P029q02XzceLA
Content-Disposition: form-data; name="entry"; filename="test.pdf"
Content-Type: application/pdf
------WebKitFormBoundaryeb4P029q02XzceLA--
代码部分:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Value("${auth.keytab.url}")
private Resource keyTabLocation;
private static final String SECURITY_ACCESS_ROLE = "isFullyAuthenticated() and hasRole('SOME_ROLE')";
@Override
protected void configure(HttpSecurity http) throws Exception {
// Please dont format this section
// Some eclipse version may not support below formatter off.
// @formatter:off
HttpSecurity httpSecurity =
//default response headers disabled to aid xframe
http.headers().disable().csrf().disable()
// csrf disabled to facilitate non-browser calls
.httpBasic().authenticationEntryPoint(spnegoEntryPoint())
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests().antMatchers("/**")
.access(SECURITY_ACCESS_ROLE).anyRequest().authenticated()
.and();
httpSecurity
.addFilterBefore(
spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
BasicAuthenticationFilter.class);
// @formatter:on
// Please dont format this section
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(ignoreSecurity.split(","));
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(kerberosServiceAuthenticationProvider());
}
@Bean(name = "authenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
@Scope("prototype")
public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
ticketValidator.setServicePrincipal(servicePrincipal);
ticketValidator.setKeyTabLocation(keyTabLocation);
ticketValidator.setDebug(true);
return ticketValidator;
}
@Bean
@Scope("prototype")
public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
provider.setTicketValidator(ticketValidator);
provider.setUserDetailsService(kerberosUserDetailsService());
return provider;
}
@Bean
public UserDetailsService kerberosUserDetailsService() {
return new KerberosUserDetailsService();
}
@Bean
public UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsByNameServiceWrapper() {
UserDetailsService userDetailsService = cookieUserDetailsService();
return new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(userDetailsService);
}
@Bean
public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
AuthenticationManager authenticationManager) {
SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
filter.setAuthenticationManager(authenticationManager);
return filter;
}
@Bean
public SpnegoEntryPoint spnegoEntryPoint() {
return new SpnegoEntryPoint();
}
}