Finatra Web服务器具有Kerberos身份验证的HTTP / Spnego

时间:2018-06-24 21:46:37

标签: scala security kerberos spnego finatra

我尝试将Spnego与Finatra Web服务器一起使用,但没有成功。

这是我的GitHub项目:https://github.com/glegoux/spnego-server-finatra

使用Wireshk:

enter image description here

错误:KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

我的服务器日志:

...
Debug is  true  
storeKey true useTicketCache false useKeyTab true 
doNotPrompt true ticketCache is null 
isInitiator false KeyTab is /tmp/spnego-server.keytab 
refreshKrb5Config is true principal is HTTP/spnego-server@EXAMPLE.COM 
tryFirstPass is false 
useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Java config name: krb5.conf
Loaded from Java config
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
principal is HTTP/spnego-server@EXAMPLE.COM
Will use keytab
Commit Succeeded 

Found KeyTab /tmp/spnego-server.keytab for HTTP/spnego-server@EXAMPLE.COM
Found KeyTab /tmp/spnego-server.keytab for HTTP/spnego-server@EXAMPLE.COM
Found KeyTab /tmp/spnego-server.keytab for HTTP/spnego-server@EXAMPLE.COM
Found KeyTab /tmp/spnego-server.keytab for HTTP/spnego-server@EXAMPLE.COM
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 03 be 30 82 03 ba ...
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.5.2.5
SpNegoToken NegTokenInit: reading Mech Token
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext.acceptSecContext: mechanism wanted = null
SpNegoContext.acceptSecContext: negotiated result = REJECT
SpNegoContext.acceptSecContext: sending token of type = SPNEGO NegTokenTarg
SpNegoContext.acceptSecContext: sending token = a1 07 30 05 a0 03 0a 01 02 
The underlying mechanism context has not been initialized
[UnboundedFuturePool-2] INFO SpnegoFilter - Client principal: null
...

当我检查我的凭据时,没有HTTP/spnego-server@EXAMPLE.COM的票证授予服务(TGS):

$ klist -fe
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: bob@EXAMPLE.COM

Valid starting       Expires              Service principal
24/06/2018 21:17:20  25/06/2018 07:17:20  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    renew until 25/06/2018 21:17:18, Flags: FPRIA
    Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1

JAAS config
krb5 config

spnego服务器密钥标签:

klist -kte /tmp/spnego-server.keytab
Keytab name: FILE:/tmp/spnego-server.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 06/25/18 06:27:43 HTTP/spnego-server@EXAMPLE.COM (des3-cbc-sha1)

你知道为什么吗?

1 个答案:

答案 0 :(得分:0)

它有效;)。我已修复帖子,但在HTTP/spnego-server.example.com@EXAMPLE.COM为HTTP/spnego-server@EXAMPLE.COM且没有后缀.example.com之前,主体名称是正确的。

相关问题
最新问题