如何在Tomcat / linux服务器上configurationKerberos?

我正在尝试在运行在Linux上的Tomcat上的Java web-app中设置Kerberos身份validation。 我正在使用spring security kerberos扩展。 我在用着:

  • jdk 1.7u75
  • spring-security-kerberos 1.0.0.RELEASE
  • MS活动目录

在我的本地开发机器(Windows)上一切运行良好。 但是,在将应用程序部署到一台linux机器后,身份validation不再起作用。 我强烈怀疑我的Kerberosconfiguration有问题:

[libdefaults] default_realm = INT.MYCOMPANY.DE ccache_type=4 kdc_tymesync=1 forwardable=true proxiable=true [realms] INT.MYCOMPANY.DE = { admin_server = xyz.mycompany.de kdc = xyz.mycompany.de } [domain_realm] .INT.MYCOMPANY.DE = INT.MYCOMPANY.DE int.mycompany.de = INT.MYCOMPANY.DE .int.mycompany.de = INT.MYCOMPANY.DE .mycompany.de = INT.MYCOMPANY.DE mycompany.de = INT.MYCOMPANY.DE [logging] #kdc = console 

(服务器和领域名称已更改)

Spring安全configuration:

 <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"> <context:property-placeholder location="file:${externalPropertiesPath}/edlgui.properties" /> <authentication-manager alias="authenticationManager"> <authentication-provider ref="kerberosAuthenticationProvider" /> </authentication-manager> <http use-expressions="true"> <intercept-url pattern="/login.jsp" access="permitAll" /> <intercept-url pattern="/admin/**" access="hasRole('${edl.gui.authorization.requiredrole}')" /> <form-login login-page="/login.jsp" username-parameter="username" password-parameter="password" default-target-url="/admin"/> <logout logout-url="/logout" logout-success-url="/login.jsp" /> <http-basic /> <access-denied-handler ref="edlGuiAccessDeniedHandler"/> </http> <beans:bean id="edlGuiAccessDeniedHandler" class="edl.security.EdlGuiAccessDeniedHandler"> <beans:constructor-arg value="/login.jsp"/> </beans:bean> <beans:bean id="kerberosAuthenticationProvider" class="org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider"> <beans:property name="kerberosClient"> <beans:bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient"> <beans:property name="debug" value="false" /> </beans:bean> </beans:property> <!-- TODO replace dummy user service --> <beans:property name="userDetailsService" ref="ldapUserDetailsService" /> </beans:bean> <beans:bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig"> <beans:property name="debug" value="false" /> <!-- externalPropertiesPath path = /opt/pksvc/tomcat/current/conf --> <beans:property name="krbConfLocation" value="file:${externalPropertiesPath}/krb5.conf"/> </beans:bean> <!-- Get User Details via LDAP --> <!-- It would be nice to do this via Kerberos, however that requires a keytab --> <ldap-user-service id="ldapUserDetailsService" server-ref="activeDirectoryLdap" user-search-base="${edl.gui.ldap.usersearchbase}" user-search-filter="${edl.gui.ldap.usersearchfilter}" group-search-base="${edl.gui.ldap.groupsearchbase}" group-role-attribute="${edl.gui.ldap.grouproleattribute}" group-search-filter="${edl.gui.ldap.groupsearchfilter}" user-details-class="person"/> <ldap-server id="activeDirectoryLdap" url="${edl.gui.ldap.url}" manager-dn="${edl.gui.ldap.managerdn}" manager-password="${edl.gui.ldap.managerpw}" root="${edl.gui.ldap.root}"/> </beans:beans> 

当我尝试login从kerberosdebugging输出看到的唯一的事情是:

 Java config name: file:/opt/pksvc/tomcat/current/conf/krb5.conf getRealmFromDNS: trying mycompany.de 

(我期望看到“KrbAsReq创build消息”和“KrbKdcReq发送”条目)

从spring开始:

 2015-08-04 10:07:42.986 DEBUG ossecurity.web.FilterChainProxy - /j_spring_security_check at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 2015-08-04 10:07:42.986 DEBUG osswcHttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT 2015-08-04 10:07:42.986 DEBUG osswcHttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@64656737. A new one will be created. 2015-08-04 10:07:42.986 DEBUG ossecurity.web.FilterChainProxy - /j_spring_security_check at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 2015-08-04 10:07:42.986 DEBUG ossecurity.web.FilterChainProxy - /j_spring_security_check at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter' 2015-08-04 10:07:42.987 DEBUG ossecurity.web.FilterChainProxy - /j_spring_security_check at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' 2015-08-04 10:07:42.987 DEBUG osswaUsernamePasswordAuthenticationFilter - Request is to process authentication 2015-08-04 10:07:42.987 DEBUG ossauthentication.ProviderManager - Authentication attempt using org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider 2015-08-04 10:07:42.987 DEBUG osskasun.SunJaasKerberosClient - Trying to authenticate KieselGun with Kerberos 2015-08-04 10:07:42.993 DEBUG osswaUsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Kerberos authentication failed 2015-08-04 10:07:42.993 DEBUG osswaUsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication 2015-08-04 10:07:42.993 DEBUG osswaUsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@72f106b0 2015-08-04 10:07:42.993 DEBUG osswaSimpleUrlAuthenticationFailureHandler - Redirecting to /login.jsp 2015-08-04 10:07:42.993 DEBUG ossweb.DefaultRedirectStrategy - Redirecting to '/edl-gui/login.jsp' 2015-08-04 10:07:42.993 DEBUG osswcHttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 2015-08-04 10:07:42.994 DEBUG osswcSecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed 2015-08-04 10:07:43.042 DEBUG ossecurity.web.FilterChainProxy - /login.jsp at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 2015-08-04 10:07:43.043 DEBUG osswcHttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT 2015-08-04 10:07:43.043 DEBUG osswcHttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@64656737. A new one will be created. 2015-08-04 10:07:43.043 DEBUG ossecurity.web.FilterChainProxy - /login.jsp at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 2015-08-04 10:07:43.043 DEBUG ossecurity.web.FilterChainProxy - /login.jsp at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter' 2015-08-04 10:07:43.043 DEBUG ossecurity.web.FilterChainProxy - /login.jsp at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' 2015-08-04 10:07:43.043 DEBUG ossecurity.web.FilterChainProxy - /login.jsp at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' 2015-08-04 10:07:43.043 DEBUG ossecurity.web.FilterChainProxy - /login.jsp at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 2015-08-04 10:07:43.044 DEBUG osswsDefaultSavedRequest - pathInfo: both null (property equals) 2015-08-04 10:07:43.044 DEBUG osswsDefaultSavedRequest - queryString: both null (property equals) 2015-08-04 10:07:43.044 DEBUG osswsDefaultSavedRequest - requestURI: arg1=/edl-gui/admin; arg2=/edl-gui/login.jsp (property not equals) 2015-08-04 10:07:43.044 DEBUG osswsHttpSessionRequestCache - saved request doesn't match 2015-08-04 10:07:43.044 DEBUG ossecurity.web.FilterChainProxy - /login.jsp at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 2015-08-04 10:07:43.044 DEBUG ossecurity.web.FilterChainProxy - /login.jsp at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 2015-08-04 10:07:43.044 DEBUG osswaAnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 172.20.65.226; SessionId: F2C563CA5780A3024AE7D89390CE0AB1; Granted Authorities: ROLE_ANONYMOUS' 2015-08-04 10:07:43.044 DEBUG ossecurity.web.FilterChainProxy - /login.jsp at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter' 2015-08-04 10:07:43.044 DEBUG ossecurity.web.FilterChainProxy - /login.jsp at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 2015-08-04 10:07:43.045 DEBUG ossecurity.web.FilterChainProxy - /login.jsp at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 2015-08-04 10:07:43.045 DEBUG osswumAntPathRequestMatcher - Checking match of request : '/login.jsp'; against '/login.jsp' 2015-08-04 10:07:43.045 DEBUG osswaiFilterSecurityInterceptor - Secure object: FilterInvocation: URL: /login.jsp; Attributes: [permitAll] 2015-08-04 10:07:43.045 DEBUG osswaiFilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 172.20.65.226; SessionId: F2C563CA5780A3024AE7D89390CE0AB1; Granted Authorities: ROLE_ANONYMOUS 2015-08-04 10:07:43.045 DEBUG ossaccess.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@265c45f7, returned: 1 2015-08-04 10:07:43.045 DEBUG osswaiFilterSecurityInterceptor - Authorization successful 2015-08-04 10:07:43.045 DEBUG osswaiFilterSecurityInterceptor - RunAsManager did not change Authentication object 2015-08-04 10:07:43.045 DEBUG ossecurity.web.FilterChainProxy - /login.jsp reached end of additional filter chain; proceeding with original chain 2015-08-04 10:07:43.046 DEBUG osswaExceptionTranslationFilter - Chain processed normally 2015-08-04 10:07:43.046 DEBUG osswcHttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 2015-08-04 10:07:43.046 DEBUG osswcSecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed 

因此,似乎用户被匿名authentication,之后我回到login页面,因为匿名用户没有访问权限。

任何人都可以告诉我configuration有什么问题吗? 或者我可以怎样进一步分析呢?

Solutions Collecting From Web of "如何在Tomcat / linux服务器上configurationKerberos?"

我不确定在linux和win之间jdk的krb实现是如何不同的。 显然有一些差异,因为在Linux中,jdk会尝试找到默认的/etc/krb5.conf ,还有一个我现在不记得的默认位置。 我认为赢得类似的调整是为了jdk。 你可以暂时重命名默认的krb5.conf文件,以确保它没有被使用(并且得到错误的配置)。

我在黑暗中拍摄,但我们随机猜测。 当我制作所有这些样本时,我遇到了很多种类的麻烦,但是最终都成功了。 在某些时候(在Linux中),如果失败是由我们的spring-security-kerberos库引起的,或者与kerberos设置有关,那么我完全失败了。我发现这对于在jdk之外测试kerberos设置非常有价值。 请参阅http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#troubleshooting ,尤其是尝试将ldapsearch从linux连接到AD 。 您不需要使用密钥表,因为如果设置正确,kinit应该允许您从AD获得票证。

我在那里有一件事是:

 [realms] EXAMPLE.ORG = { kdc = WIN-EKBO0EQ7TS7.example.org:88 } 

我相信我有这个端口88有一个原因,也许有一些不同的默认Linux / WIN JDK的,如果没有定义。

其他认为是支持enctypes如果这些是不同的使用AD和Linux的jdk支持。 这是你应该从jdk内部krb调试日志中看到的东西。 另外,如果您能够从Linux启动AD ,则klist将显示关键的文本类型。

我发现在Windows和Linux环境下,我的本地环境都没有使用GlobalSunJaasKerberosConfig krbConfLocation(见下文)中指定的krb5.conf。 虽然调试输出显示这个文件所做的更改没有任何效果。 在我的Windows环境中,我有一个正确的设置kerberos配置(我仍然不知道在哪里,我没有krb5.ini任何地方…)在Linux环境中,我没有。 结果kerberos在linux环境下失败了。

我设法通过设置环境变量java.security.krb5.realm和java.security.krb5.kdc(请参阅https://blogs.oracle.com/wangwj/entry/kerberos_programming_on_windows )来解决此问题。 有了这些设置kerberos身份验证工作。

未使用此bean的krbConfLocation:

 <beans:bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig"> <beans:property name="debug" value="false" /> <beans:property name="krbConfLocation" value="file:${externalPropertiesPath}/krb5.conf"/> </beans:bean>