使用Weblogic12 + SPNEGO + Kerberos + LDAP的SSO身份验证

时间:2018-08-06 18:48:49

标签: single-sign-on kerberos weblogic12c spnego

我有一个正在处理的EE应用程序,我正在尝试使用通过多租户WebLogic Server(12.2.1.2)连接到Windows Active Directory的SPNEGO提供程序在Windows网络上实现SSO。 SPNEGO提供程序已配置,并且似乎可以与Active Directory一起正常使用。我在WAR中创建了一个包含一个servlet的小型应用程序,如果身份验证成功,该应用程序应在屏幕上显示登录信息。

我遇到的问题是,从服务器查看日志文件后,身份验证成功,但是一旦通过SPNEGO进行身份验证,服务器就无法将我转发。我可以看到在哪里传递了SPNEGO令牌,该令牌用于验证我的身份,甚至还可以用来验证我来自Active Directory的所有组的身份。

这是测试应用程序的Web.xml

<context-param>
    <param-name>javax.faces.PROJECT_STAGE</param-name>
    <param-value>Development</param-value>
</context-param>
<servlet>
     <servlet-name>AuthSimpleTestServlet</servlet-name>
     <servlet-class>functional.test.SimpleTestServlet</servlet-class>
 </servlet>
 <servlet-mapping>
     <servlet-name>AuthSimpleTestServlet</servlet-name>
     <url-pattern>/</url-pattern>
 </servlet-mapping>

<security-role>
    <description>Admin Role</description>
    <role-name>DEV_ADMIN</role-name>
</security-role>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>secured pages</web-resource-name>
        <url-pattern>/*</url-pattern>
        <url-pattern>/</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>DEV_ADMIN</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>myrealm</realm-name>
</login-config>
<session-config>
    <session-timeout>
        30
    </session-timeout>
</session-config>
<welcome-file-list>
     <welcome-file>/AuthSimpleTestServlet</welcome-file>
</welcome-file-list>

weblogic.xml

<security-role-assignment>
    <role-name>DEV_ADMIN</role-name>
    <principal-name>@APP_DEV_ADMIN</principal-name>
    <principal-name>APP_DEV_ADMIN</principal-name>
</security-role-assignment>

我可以看到将主体添加到主题的位置。不是用于格式化目的的JS代码段。

<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <login succeeded for username DCConway> 
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login delegated, returning true> 
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.commit> 
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Commit> 
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Principals Added> 
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.commit delegated, returning true> 
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in> 
<Aug 6, 2018, 1:48:15,492 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
	Principal: DCConway
	Principal: @APP_DEV_ADMIN
	Principal: APP_DEV_ADMIN

即使看起来一切正常,在尝试访问servlet时我仍然收到403 Forbidden Error。 enter image description here

请求标头似乎具有正确的令牌。 enter image description here

我希望有人可以帮助我确定问题所在以及如何解决。

下面是日志文件的某些复制部分,以供查看,其中包含大量的日志信息。服务器等的名称已更改。

<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <PrincipalAuthenticator.assertIdentity using common security> 
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.service.WLSIdentityAssertionServiceWrapper.assertIdentity> 
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionServiceImpl.assertIdentity(Authorization)> 
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity(Authorization)> 
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity - IdentityAssertionException> 
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <WebAppIdentityAssertion> <BEA-000000> <Permission check failed for weblogic.servlet.internal.ServletRequestImpl@11524151[
GET /STIP_Ken/SPNEGO_TEST HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: http://os-serv-li-env800.os.comapny.com:7005/console/console.portal?_nfpb=true&_pageLabel=WebAppApplicationTestingPage&handle=com.bea.console.handles.AppDeploymentHandle%28%22com.bea%3AName%3DSPNEGO_TEST%2CType%3DAppDeployment%2CPartition%3Dken_partition%2CResourceGroup%3DPartitionResourceGroup-ken%22%29
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate, peerdist
DNT: 1
Connection: Keep-Alive
Authorization: *
X-P2P-PeerDist: Version=1.1
X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0

]> 
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <NegotiateIdentityAsserterServiceImpl.process() called> 
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <CERT auth type found for webapp> 
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <All request headers:> 
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <  Header: Accept : text/html, application/xhtml+xml, image/jxr, */*> 
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <  Header: Referer : http://os-serv-li-env800.os.comapny.com:7005/console/console.portal?_nfpb=true&_pageLabel=WebAppApplicationTestingPage&handle=com.bea.console.handles.AppDeploymentHandle%28%22com.bea%3AName%3DSPNEGO_TEST%2CType%3DAppDeployment%2CPartition%3Dken_partition%2CResourceGroup%3DPartitionResourceGroup-ken%22%29> 
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <  Header: Accept-Language : en-US> 
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <  Header: User-Agent : Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko> 
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <  Header: Accept-Encoding : gzip, deflate, peerdist> 
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <  Header: Host : os-serv-li-env800.os.comapny.com:7027> 
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <  Header: DNT : 1> 
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <  Header: Connection : Keep-Alive> 
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <  Header: Cookie : JSESSIONID=bVMQKy4C_QQlGvaTKZUwkiEsW2tVrTRkQ_A4yU_vGb22z85hWfEV!1153673829; ADMINCONSOLESESSION=F2UQTg7hP-Xz-h9kpjTkEPLp4hdHnKSKLqnupTfTl4HxVZ9eEIAi!-803667715> 
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <  Header: Authorization : Negotiate YIILBAYGKwYBBQUCoIIK+DCCCvS... 
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <  Header: X-P2P-PeerDist : Version=1.1> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <  Header: X-P2P-PeerDistEx : MinContentInformation=1.0, MaxContentInformation=2.0> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <    processing header: Negotiate YIILBAYGKwYBBQUCoIIK+DCCCvSgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCr4Eggq6YIIKtgYJKoZIhvcSAQICAQBuggqlMIIKoaADAgEFoQMCAQ6iBwMFACAAAACjggi1YYIIsTCCCK2gAwIBBaETGxFNQUlOLkFEUy5VU0NHLk1JTKIvMC2gAwIBAqEmMCQbBEhUVFAbHG9zYy1zLWxpbS1hcDgwMC5vc2MudXNjZy5taWyjggheMIIIWqADAgESoQMCAQeigghMBIIISOIHiNd0PhKH07ahpwtToHkw3cO1MILaInEboKRe9r5MeR4xBpHwK8qMRsgM3vZfozvwRrskv4tftg7ZjKBbBDzNKFBbqAUNPJ9NWc8eq6p9gBcvzzuacRPVn1O80Q1Y+XEIAqQpbEY+LkdWTjcDy8xM/OdXTldBoYFmrmpnxEPe3J0vY1CdEoCefPfp0B+xN7lQ3dS4XQQvww2BYzF55wUXUxRYCfogZnxhkUARyT9M1S4xwFog6Ap+wAe1UextvB9R9IW7nE3eT3EJbcLgCFpXh502KcFwt7ht7O2L93tU6SjaLl2ogq2d+m24bgobnPD+YRPk4873REkTFmXrTAkkgw+mXmga2iP9ML7X+hiXGraJQmj6GbwfpSc0sITOnIktm25UwNrQXjabh0XfN5XoMeQW6x0cWW0j4plpgH+kGGSuj0fFe7zrBu+IgV0XkC/dbcYaTkVWVfs+oAGUWHcpGWxNduXFqm78rlAg915/eHvEXuZgP9PLCCpC3fXGqaxlO4oF81Ly/3NLWBybWQs7S2NVbmDfTg+puVkBL7vYZR8jkOo7cmtijpCgA0kHAS/5sV8pZCabpTh+UkiI4QgiwdBSEVhIxnhKAByewYU4D0wpmT5ebSqhnrJzZufMr0Fz3PvVx/F0f+nH/bLj+VWURyNu3SsQ5tz+JwV1lG+9MRwiPIe/SFbiOV8KvqBJFzJ3RgzUWVk7L8CzGQg88ahKUdO9jHV+XiclVpL5qCX9TRD960bEJGYgvemeI172tOnQXQEm0H9i4x02gLarvmlb18fwycaj4OJV6wRFUUbWXs1OnfMBH9PKeh6sAmow2Knh2+noSwHceizjDY4HarD/bnUXQ9TNIqu0onJYfQsWLYXwOyl5IVBaRxhBLBodJCv8mJMJuM7sWBwXuGJft7HbIJgcpaECQk28zBtD5EYS/LkX46zFJlGEoQFV1qrARMH3rtf4RMG3kaWkpmEIVj6DT3ZvtTWy52gcFNrJNeWRgKJuatSahm8tWjDfEgPs1quyKds/j1cMAyEYZVkpZLlXKRTe4tQ8nW1atVL/ZyFKPJi/gFj9yIp1gghc1VHevRglxoUQCvMLrXbcx71+oc07EyAN1wfd9Gc0Tyz9PRiblhpV7+Akqt3PQcpGtlgBmuiMS1JmT1BsjUpyi8Zr46KKwnBYLqlUqDaHaxmExG5H40vVF0UqIvL3tw80o6R0qZiyoWK5tJ7Y/IioETWdxobNevKUZDQDojrxVVynVefgqEbjGBZ2pRkEKpcCzgm6PY3xv6EenscDaDaOeRSBVLl0bBtP6w+TSvdAFtjm2GF61+c1+ug/bi5g7feoiB2ahhlhsUp37N59FLC50Jk7nhOzKLY1+IdXN5C8/vtbWA4xe2m0pCrwvtucgWBO/3L49TsQIE8HokI5cBXGQSj1ZKOLgdvMoAiKP9HEHyCS7zkSM04PZYH93h9OfDnv8hf0GnSjcw5Tq8bY0AKruC+aysPo00BEHMlxHie9bAMcT3/mL5i4kAHzZVwt9yjbpGeSiWzXh2j3CHJeB3n9MNN5tn7pus7xii+zNV1MA4l3RoRKL4inyt6U18elY02FvhbzYDfkfcEqKudZ9H/TyiZbzB/EcIfPbth1l1UOsQVcAF9fNrNyPG0ezlnkIUNBGRBuX23F7Y6rZfkXQys2pv3FlPjTK7f3EtwX7xunrvtVR1chSfZEfz6xsiVC3YPpUk3NUpTlg4DNbFUnhfEeLbZBKI3I1cYKPeftFiqygjxbyFEnzTPLY1UP63wCmdNip6PppJZHY8lS6cDOkEWjj/6pbiHpH2yoJQXR+bh2P3TdqV55vXt1gItG+aufuE1unh1GqAY7DwgRRdMd8pVHZ/FkOIIwGLCnVVUsVkNxjkTMW5KMfms7VM4EgiW4VkpyV/yM90ArMN0BDYluIP5rlw9hL2MLsUDfNQa1yX2RY9DTKPjMU3TqqCbD7YZ2t7FwRdGDXH9qOyXsbxqrudGpqL44NrpDgHEtCxzh0Eyz0CctAAQoGt5DkAbNv8KbraQNwFnIPxCXQ0R+jyQVAqoBlTMYajtmpr9oYlWyAozZ0wYbKMM0a/eFBJe2FQtbSVBLTY2D8h/laX/dMW4siAiSUvBr+Fys99W28Y0O9qcNZXf3sARNrcANIy2EZ6n2XYMPZ5LW96TaWLq6Y5KUHmhz9i1yO3QXk4KF7if99QI0qicMnnUJ99MaLA5VPQavbm77jCkW3cpVubBWfDUeMbGoxEMdUxjC7p3JM7duptr8t2GteZgSSj81gdxTqoGAM2eLZhH/spzSDfO7/mNmymF81/It4aXrTx9PQjcvH8t5xz7MDKuaucJSvu3rrgc35bbBz94UlrubZLAdiS348XVlTdsMvWmVZu5EPHPCUUgSx1riTkmVxHbgVbR/pSvKsmvNCIqwOfHK3QlLWJQqLB//8jLBjlv0u7h4tYo6bLEmAp21hkorzMlEMDSKKZH/b+1fWJipK6MVRW1OIRGiPMEUcK6Rw5bf2WfofhG8OW7NtGewIsG1K9dYPAIlZOHiVoFyZbCI6boplgVGqhiab57qs8Z0Zibos9dCYY52UQMEGUmgI/b0hu2IPDl1+wEOGLLO2A+lT+TmQNu1X/09yFduJmb+r3Dw9s9cCrTjO4r5GNenjrq7NjeK6Q4WpBaW5I8aSn6P3Q6cyJaPHKjudlfM/N9sPFBc3ylj2BZRrNWLYaLywDJD5UlMMM2Cv6R95Ft9i/yb+q1vs/3uhpeoKk6Ny7jjyp5xu0Xmb392SlCQZzfBMCuCGEaAH41whgZeOX5HZJr/vyyrwrFQlRCNpIIB0TCCAc2gAwIBEqKCAcQEggHA4fZXLJsGEn1cx6r3wF0FiTLJLX2Fu/GwlmidzC7/7VfGMDDWTCuSKasFwi9lC5QkV74etXYMa3ndwr+aPM4aPwaEIIFQe8r4bW7jol00FB4SavtHfhonKBBZVw1Y8RbDE+TnGQUb5R11TPbi+wfomKcQM4Fhew3dueNfhFT/sQ6eKQQ6UmqSTzZKjmQhjOpaBLyqV+ciZM52ctC49wPc+xN3SbAPCI4m3H5b/C8VTTbOwtE+vMnlj3sjQYQR82bCLKRoJXTWP8ImerWYSlD7MlUXWdQH+msG2RHE8U8XCwhPRUQuyNgdUzvt1cYndfuz7jPR8YzFj/e7NWSLfDKbJiskuK8W+gLGfCMuROVMoyp3+bXaTjY1/tNhgcu0NAtzh+uT/UOmksLdbosNlhQ5nEoRbu1b5sB58HlmooJeK7TVxxjmStYtua/+blmUo+pn/OHMIJly9T9+KQ9hXeh9i7Eivy2VZR08/OuFK63k/6Nej/I+aogo7bpLJGrhKJLNE2Hgi3yevKTKIN168ES5j/KHt+jeZyQrHyMu2Y6Pa1UBoZj2BKeksyA59y8LyuuicCA2rWqBATpfZOH0NcL0bA==> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: SPNEGO static oid     0: 0606 2b06 0105 0502                       ..+.....        
> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: SPNEGO in oid     0: 0606 2b06 0105 0502                       ..+.....        
> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Neg token found> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of neg token 2808> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: sequence found> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of sequence token 2804> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: choice is 160> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of mech type 48> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of mech type seq 46> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: mech type offset 24> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <mech type token 
   16:                     0609 2a86 4882 f712           ..*.H...
   more lines...

<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.2.840.48018.1.2.2> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.2.840.113554.1.2.2> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.3.6.1.4.1.311.2.2.30> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.3.6.1.4.1.311.2.2.10> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech token len 2750> 
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech token 
    0: 6082 0ab6 0609 2a86 4886 f712 0102 0201   `.....*.H.......
   16: 006e 820a a530 820a a1a0 0302 0105 a103   .n...0..........
   more lines..
   
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Found Negotiate with SPNEGO token> 
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Negotiate filter: new session, no negotiation has started> 
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.assertChallengeIdentity(Authorization.Negotiate)> 
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(Authorization.Negotiate)> 
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(Authorization.Negotiate)> 
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASIdentityAssertionConfigurationServiceImpl.getAppConfigurationEntry(com.sun.security.jgss.krb5.accept)> 
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is cglims_mt_dev.keytab refreshKrb5Config is false principal is HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=175
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=175
>>> KrbKdcReq send: #bytes read=220
>>>Pre-Authentication Data:
	 PA-DATA type = 19
	 PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null

>>>Pre-Authentication Data:
	 PA-DATA type = 2
	 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
	 PA-DATA type = 16

>>>Pre-Authentication Data:
	 PA-DATA type = 15

>>> KdcAccessibility: remove os-vd-m-009
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
	 sTime is Mon Aug 06 13:48:15 EDT 2018 1533577695000
	 suSec is 67734
	 error code is 25
	 error Message is Additional pre-authentication required
	 sname is krbtgt/ MAIN.ADS.COMAPNY.COM@MAIN.ADS.COMAPNY.COM
	 eData provided.
	 msgType is 30
>>>Pre-Authentication Data:
	 PA-DATA type = 19
	 PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null

>>>Pre-Authentication Data:
	 PA-DATA type = 2
	 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
	 PA-DATA type = 16

>>>Pre-Authentication Data:
	 PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=264
>>> KrbKdcReq send: #bytes read=106
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000,Attempt =1, #bytes=264
>>>DEBUG: TCPClient reading 1923 bytes
>>> KrbKdcReq send: #bytes read=1923
>>> KdcAccessibility: remove os-vd-m-009
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/os-serv-li-env800.os.comapny.com
principal is HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Will use keytab
Commit Succeeded 

Found KeyTab cglims_mt_dev.keytab for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found ticket for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM to go to krbtgt/ MAIN.ADS.COMAPNY.COM@MAIN.ADS.COMAPNY.COM expiring on Mon Aug 06 23:48:15 EDT 2018
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1533577695/003265/F340CA7D6DD3AB5499310326FEBE8EA9/DCConway@MAIN.ADS.COMAPNY.COM to DCConway@MAIN.ADS.COMAPNY.COM|HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
MemoryCache: Existing AuthList:
#1: 1533574589/003195/3E34B0B548DBF2570B1E8140F1C0CBCD/DCConway@MAIN.ADS.COMAPNY.COM

>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1542758160
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 241351631
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <gssContext isEstablished true> 
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Out token 

.................

<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <GSS name is DCConway@MAIN.ADS.COMAPNY.COM> 
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <User name is DCConway> 
>>> Constrained deleg from GSSCaller{UNKNOWN}
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASIdentityAssertionConfigurationServiceImpl.getAppConfigurationEntry(com.sun.security.jgss.krb5.accept)> 
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is cglims_mt_dev.keytab refreshKrb5Config is false principal is HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=175
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=175
>>> KrbKdcReq send: #bytes read=220
>>>Pre-Authentication Data:
	 PA-DATA type = 19
	 PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null

>>>Pre-Authentication Data:
	 PA-DATA type = 2
	 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
	 PA-DATA type = 16

>>>Pre-Authentication Data:
	 PA-DATA type = 15

>>> KdcAccessibility: remove os-vd-m-009
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
	 sTime is Mon Aug 06 13:48:15 EDT 2018 1533577695000
	 suSec is 67734
	 error code is 25
	 error Message is Additional pre-authentication required
	 sname is krbtgt/ MAIN.ADS.COMAPNY.COM@MAIN.ADS.COMAPNY.COM
	 eData provided.
	 msgType is 30
>>>Pre-Authentication Data:
	 PA-DATA type = 19
	 PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null

>>>Pre-Authentication Data:
	 PA-DATA type = 2
	 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
	 PA-DATA type = 16

>>>Pre-Authentication Data:
	 PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=264
>>> KrbKdcReq send: #bytes read=106
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000,Attempt =1, #bytes=264
>>>DEBUG: TCPClient reading 1923 bytes
>>> KrbKdcReq send: #bytes read=1923
>>> KdcAccessibility: remove os-vd-m-009
Looking for keys for: HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Found unsupported keytype (1) for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/os-serv-li-env800.os.comapny.com
principal is HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM
Will use keytab
Commit Succeeded 

Found ticket for HTTP/ os-serv-li-env800.os.company.com@MAIN.ADS.COMAPNY.COM to go to krbtgt/ MAIN.ADS.COMAPNY.COM@MAIN.ADS.COMAPNY.COM expiring on Mon Aug 06 23:48:15 EDT 2018
<Aug 6, 2018, 1:48:15,359 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <delegate state is true, acquire delegated credential...> 
<Aug 6, 2018, 1:48:15,359 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Username was found, setting up callbackhandler> 

...........

<Aug 6, 2018, 1:48:15,503 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user DCConway, Identity=Subject: 46

1 个答案:

答案 0 :(得分:0)

尝试从您的web.xml文件中删除此标记:/如果未正确配置安全性约束,则可能会发生403错误