如果Kerberos身份验证失败(例如,客户端不在域中),如何启用回退到基本身份验证?在下面的配置下,不会出现浏览器身份验证窗口,并且会引发以下异常:
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful
org.ietf.jgss.GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
我的WebSecurityConfigurerAdapter实现的相关部分:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint(spnegoEntryPoint())
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.logout()
.permitAll()
.and()
.addFilterBefore(
spnegoAuthenticationProcessingFilter(),
BasicAuthenticationFilter.class);
}
@Bean
public SpnegoEntryPoint spnegoEntryPoint() {
return new SpnegoEntryPoint("/");
}
@Bean
public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter() {
SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
try {
filter.setAuthenticationManager(authenticationManagerBean());
} catch (Exception e) {
log.error("Failed to set AuthenticationManager on SpnegoAuthenticationProcessingFilter.", e);
}
return filter;
}