我正在使用Kerberos身份验证编写HTTP连接。我有“HTTP / 1.1 401 Unauthorized”。你能推荐我应该检查一下吗?我认为有一些想法,但我没有看到它。
可能我应该用“Negotiate”设置标题“WWW-Authenticate”?
非常感谢您提供任何帮助和想法。
public class ClientKerberosAuthentication {
public static void main(String[] args) throws Exception {
System.setProperty("java.security.auth.login.config", "login.conf");
System.setProperty("java.security.krb5.conf", "krb5.conf");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
DefaultHttpClient httpclient = new DefaultHttpClient();
try {
NegotiateSchemeFactory nsf = new NegotiateSchemeFactory();
httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);
List<String> authpref = new ArrayList<String>();
authpref.add(AuthPolicy.BASIC);
authpref.add(AuthPolicy.SPNEGO);
httpclient.getParams().setParameter(AuthPNames.PROXY_AUTH_PREF, authpref);
httpclient.getCredentialsProvider().setCredentials(
new AuthScope(null, -1, AuthScope.ANY_REALM, AuthPolicy.SPNEGO),
new UsernamePasswordCredentials("myuser", "mypass"));
System.out.println("----------------------------------------");
HttpUriRequest request = new HttpGet("http://localhost:8084/web-app/webdav/213/_test.docx");
HttpResponse response = httpclient.execute(request);
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
System.out.println("----------------------------------------");
if (entity != null) {
System.out.println(EntityUtils.toString(entity));
}
System.out.println("----------------------------------------");
// This ensures the connection gets released back to the manager
EntityUtils.consume(entity);
} finally {
httpclient.getConnectionManager().shutdown();
}
}
}
答案 0 :(得分:3)
SPNEGO无效,因为您使用localhost作为网址主机名。
您的服务器配置为一组SPN(或至少一个),以在ActiveDirectory服务帐户上注册的HTTP/开头。您可以通过setspn -l yourServiceAccount从AD查询它们。
您的网址必须在ActiveDirectory中使用称为SPN的有效服务器主机名,以便Apache Http客户端可以协商此服务的TGS并将其发送到您的服务器。
答案 1 :(得分:1)
这是我在项目中编写的测试客户端。 此客户端依赖于在JDK上启用的所有加密类型,
如果您在日志中看到以下内容,并且您的密钥表已加密为name的256位默认etypes
然后跟着jar
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
需要下载并放入default_tkt_enctypes: 17 16 23 1 3.以启用AES256位加密,之后您应该在日志中看到以下JDK/jre/lib/security的默认etypes
default_tkt_enctypes: 18 17 16 23 1 3.实用程序类
import java.io.IOException;
import java.io.InputStream;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import org.apache.commons.io.IOUtils;
import org.apache.http.HttpResponse;
import org.apache.http.auth.AuthSchemeProvider;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.Credentials;
import org.apache.http.client.CookieStore;
import org.apache.http.client.HttpClient;
import org.apache.http.client.config.AuthSchemes;
import org.apache.http.client.config.CookieSpecs;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.config.Lookup;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.impl.auth.SPNegoSchemeFactory;
import org.apache.http.impl.client.BasicCookieStore;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.cookie.BasicClientCookie;
答案 2 :(得分:0)
我遇到了同样的问题,刚刚发现了你的帖子。我为它添加了书签,以便在我修复它时发布答案。我发布了一个链接到我的问题,有人回答了这个问题,所以如果有人通过Google找到了这个链接,他们会找到答案:
当URL有端口时,HttpClient在为AD创建SPN时遇到问题。
在此处查看我的问题+答案:HttpClient check Kerberos secured webpage. NTLM login didn't work