检测到缺陷令牌(机制级别:检测到缺陷令牌(机制级别:无效的SPNEGO NegTokenTarg令牌:短读DER长度))

时间:2019-06-17 10:34:15

标签: java authentication httpclient power-bi-report-server negotiate

尝试通过协商进行身份验证时检测到缺陷令牌 而且我发现curl命令中生成的令牌以“ TIR”开头,而Java代码生成的令牌以“ YII”开头。

Curl命令可以正常卷曲-v -i --negotiate -u:“ http://server/path

System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("sun.security.jgss.debug", "true");

SpnegoClient spnegoClient = SpnegoClient.loginWithUsernamePassword("<user>", "<pwd>");

URL url = new URL("http://<server>/<path>");
SpnegoContext context =  spnegoClient.createContext(url);

HttpURLConnection conn = (HttpURLConnection) url.openConnection();
System.out.println("createToken: "+context.createTokenAsAuthroizationHeader());

conn.setRequestProperty("Authorization", context.createTokenAsAuthroizationHeader());
conn.connect();
System.out.println("ResponseCode: "+conn.getResponseCode());

输出消息:

createToken: Negotiate YIICKAYGKwYBBQUCoIICHDCCAhigDTALBgkqhkiG9xIBAgKhBAMCAXaiggH/BIIB+2CCAfcGCSqGSIb3EgECAgEAboIB5jCCAeKgAwIBBaEDAgEOogcDBQAgAAAAo4IBEmGCAQ4wggEKoAMCAQWhEhsQTFVDSURURUNIU09MLkNPTaIhMB+gAwIBAKEYMBYbBEhUVFAbDjE5Mi4xNjguMTY4LjMyo4HLMIHIoAMCAQOhAwIBCaKBuwSBuCjSsDSOucrIdDiuFNWft/MFjHqRDHHnY5s7FmGJQEOD18sABBL+gZ4ENArT65ddjmmtGLhJ8glMN8Cv8y+JDX54sUZ/IoSqot8h+VuPJsCBeEYWN+556iscViQTyiiGFao+VcVPoGUdNEUg80P4A/VZr6hs5o7qVWH88I3iv7Afn6zhxPiG1bQKBafXCluPfiMr1EN4KY2YglmV+TWQLSrBM+O+uTCTrCcMgzBcKChV14cP2KgpeWekgbYwgbOgAwIBAaKBqwSBqMREjYc0vDQ2/BqGEEqnhbBI0NQOL57e17t1uSU5cr9U5S16WLlj01f7QUNF5cZji5/K9Y+WhrwguKZqQ0ifni7pTjWwabjJVDcNLjpXzJHcNDIjSrh8KdpJu1IHYsJ8NH4SejNUbRfIAyHCl9jNAK1IhIqJ8HfrzQreyV1nG2RjA8mwZ8d/Gh+peFHSYJpi/hVXFFlngUI8AYk61k+vhiHqh/er/AoJrg==
Exception in thread "main" java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : Short read of DER length))
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at com.kerb4j.client.SpnegoContext.createToken(SpnegoContext.java:31)
    at com.kerb4j.client.SpnegoContext.createTokenAsAuthroizationHeader(SpnegoContext.java:41)
    at com.lucid.negotiate.App.main(App.java:60)
Caused by: GSSException: Defective token detected (Mechanism level: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : Short read of DER length))
    at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:454)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
    at com.kerb4j.client.SpnegoContext$1.run(SpnegoContext.java:34)
    at com.kerb4j.client.SpnegoContext$1.run(SpnegoContext.java:31)
    ... 5 more
Caused by: GSSException: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : Short read of DER length)
    at sun.security.jgss.spnego.NegTokenTarg.parseToken(NegTokenTarg.java:192)
    at sun.security.jgss.spnego.NegTokenTarg.<init>(NegTokenTarg.java:75)
    at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:350)
    ... 9 more

1 个答案:

答案 0 :(得分:0)

GSS数据(编码为Base64)以

开头
  • “ YII”使用Kerberos作为SPNEGO子机制。
  • “ TIR”使用NTLM作为SPNEGO子机制。

即CURL建议在您的Java客户端尝试使用Kerberos时将NTLM作为首选机制。