堆栈内存溢出
  简体   繁体   English

Tomcat Windows身份验证:JNDIRealm不使用SPNEGO委派的凭据

[英]Tomcat Windows Authentication: JNDIRealm doesn't use SPNEGO delegated credentials

 原文  2014-04-10 08:03:39       java/ tomcat/ active-directory/ windows-authentication/ spnego

问题描述

We have Tomcat 7.0.53 running on Linux, and we are trying to make Windows Authentication work as described here: https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Tomcat_instance_%28Linux_server%29 . 我们在Linux上运行Tomcat 7.0.53,我们正在努力使Windows身份验证工作如下所述: https ://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Tomcat_instance_%28Linux_server %29

SPNEGO alone works fine, it authenticate user quite well. 仅SPNEGO工作正常,它可以很好地验证用户身份。

Then we have JNDIRealm connected with LDAP to fetch user roles, and that's where the problem arise. 然后我们将JNDIRealm与LDAP连接以获取用户角色,这就是出现问题的地方。

After successful user authentication by SPNEGO we try to authenticate in JNDIRealm, and it seems like it don't use SPNEGO's delegated credentials, and auth fails. 在SPNEGO成功进行用户身份验证后,我们尝试在JNDIRealm中进行身份验证,似乎它不使用SPNEGO的委派凭据,并且auth失败。 Moreover, when we try to use UserDatabaseRealm instead of JNDIRealm and set user with corresponding roles in tomcat-users.xml, this Realm won't use these credentials either, and auth fails again. 此外,当我们尝试使用UserDatabaseRealm而不是JNDIRealm并在tomcat-users.xml中为用户设置相应的角色时,此Realm也不会使用这些凭据,并且auth再次失败。

Catalina log says: Catalina日志说: 

Apr 09, 2014 1:56:46 PM org.apache.catalina.realm.CombinedRealm authenticate
FINE: Attempting to authenticate user "username@DEFAULT.REALM.RU" with realm 
"org.apache.catalina.realm.JNDIRealm/1.0"
Apr 09, 2014 1:56:46 PM org.apache.catalina.realm.CombinedRealm authenticate
FINE: combinedRealm.authFail
    [Krb5LoginModule]: Entering logout
    [Krb5LoginModule]: logged out Subject

Our configuration files are listed below. 我们的配置文件如下所示。

kr5.ini: kr5.ini: 

[logging]
    default = FILE:/var/lib/tomcat/logs/krb5libs.log
    kdc = FILE:/var/lib/tomcat/logs/krb5kdc.log
    admin_server = FILE:/var/lib/tomcat/logs/kadmind.log

[libdefaults]
    default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    permitted_enctypes   = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    default_realm = DEFAULT.REALM.RU

[realms]
    DEFAULT.REALM.RU = {
        kdc = dc01-one.default.realm.ru:88
        default_domain = DEFAULT.REALM.RU
    }

[domain_realm]
    .DEFAULT.REALM.RU = DEFAULT.REALM.RU
    .default.realm.ru = DEFAULT.REALM.RU
    default.realm.ru = DEFAULT.REALM.RU

jaas.conf: 的Jaas.conf: 

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/appserver.default.realm.ru@DEFAULT.REALM.RU"
    useKeyTab=true
    keyTab="/var/lib/tomcat/conf/tomcat.keytab"
    storeKey=true
    debug=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/appserver.default.realm.ru@DEFAULT.REALM.RU"
    useKeyTab=true
    keyTab="/var/lib/tomcat/conf/tomcat.keytab"
    storeKey=true
    debug=true;
};

server.xml: server.xml中: 

    <Realm className="org.apache.catalina.realm.JNDIRealm"
        debug="9"
        connectionURL="ldap://1.1.1.1:3268"
        connectionName="user_sys@default.realm.ru"
        connectionPassword="***"
        userBase="DC=****,DC=ru"
        userSearch="(&amp;(objectClass=user)(userPrincipalName={0}))"
        userRoleName="memberOf"
        userSubtree="true"
        roleBase="***"
        roleName="name"
        roleSubtree="true"
        roleSearch="(&amp;(objectClass=group)(member={0}))"
        referrals="follow"
        authentication="none"
        useDelegatedCredential="true"
        spnegoDelegationQop="auth"
        />
      </Realm>

Application context.xml: 应用context.xml: 

<Valve 
    className="org.apache.catalina.authenticator.SpnegoAuthenticator"
    storeDelegatedCredential="true"
/>

Application web.xml: 应用程序web.xml: 

<login-config>
    <auth-method>SPNEGO</auth-method>
</login-config>

When using FORM auth-method, JNDIRealm configuration (without last 3 parameters though - authentication, useDelegatedCredential and spnegoDelegationQop) work perfectly well 当使用FORM auth-method时,JNDIRealm配置(尽管没有最后3个参数 - authentication,useDelegatedCredential和spnegoDelegationQop)工作得很好

We tried to use SPNEGO SourceForge, with SPNEGO either as a HttpFilter or a Valve, but didn't succeed too. 我们尝试使用SPNEGO SourceForge,将SPNEGO作为HttpFilter或Valve,但也没有成功。

Is anything in this configuration wrong? 此配置中的任何内容都有误吗? How can we make JNDIRealm use SPNEGO delegated credentials? 我们如何让JNDIRealm使用SPNEGO委托凭证?

1 个解决方案

解决方案1
 3 已采纳  2014-04-12 16:26:02

Solved this issue ourselves. 自己解决了这个问题。 The matter was in stripRealmForGss parameter of JNDIRealm - either omitting it (as in our case) or setting it to true made JNDIRealm try to connect to empty host. 问题出在JNDIRealm的stripRealmForGss参数中 - 要么省略它(如我们的情况),要么将其设置为true使JNDIRealm尝试连接到空主机。 When we set stripRealmForGss="false", suddenly everything worked like a charm. 当我们设置stripRealmForGss =“false”时,突然间一切都像魅力一样。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Windows Server上的Tomcat中的Spnego Keytab身份验证失败 - Spnego keytab authentication in Tomcat on Windows Server fails 为什么Kerberos / SPNEGO身份验证不起作用? - Why Kerberos/SPNEGO authentication doesn't work? LDAP Tomcat JNDIRealm - LDAP tomcat JNDIRealm 使用spnego凭据访问其他页面 - Use spnego credentials to access different page Tomcat无法在Windows中自动启动 - Tomcat doesn't start automatically in windows SPNEGO密码验证问题 - SPNEGO authentication issue with password 通过HttpClient进行SPNEGO身份验证 - SPNEGO Authentication via HttpClient apache httpclient不设置基本身份验证凭据 - apache httpclient doesn't set basic authentication credentials Tomcat的Windows身份验证 - Windows Authentication with Tomcat tomcat中的SPNEGO总是提示密码 - SPNEGO in tomcat always prompting password
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM