如何在Tomcat / Linux服务器上配置kerberos?
[英]How to configure kerberos on Tomcat/linux server?
问题描述
I'm trying to setup kerberos authentication in a Java web-app running in a Tomcat on Linux. 
我正在尝试在Linux上的Tomcat中运行的Java Web应用程序中设置kerberos身份验证。 I'm using the spring security kerberos extension. 我正在使用spring security kerberos扩展。 I'm using: 我正在使用:
- jdk 1.7u75 杰克1.7u75
- spring-security-kerberos 1.0.0.RELEASE 春季安全kerberos 1.0.0.RELEASE
- MS Active Directory MS Active Directory
On my local development machine (windows) everything runs fine. 在我的本地开发计算机(Windows)上,一切运行正常。 But after deploying the app to a linux machine authentication is no longer working. 但是将应用程序部署到linux机器后,身份验证不再起作用。 I strongly suspect that something is wrong with my Kerberos configuration : 我强烈怀疑Kerberos配置有问题:
[libdefaults]
default_realm = INT.MYCOMPANY.DE
ccache_type=4
kdc_tymesync=1
forwardable=true
proxiable=true
[realms]
INT.MYCOMPANY.DE = {
admin_server = xyz.mycompany.de
kdc = xyz.mycompany.de
}
[domain_realm]
.INT.MYCOMPANY.DE = INT.MYCOMPANY.DE
int.mycompany.de = INT.MYCOMPANY.DE
.int.mycompany.de = INT.MYCOMPANY.DE
.mycompany.de = INT.MYCOMPANY.DE
mycompany.de = INT.MYCOMPANY.DE
[logging]
#kdc = console
(server and realm name changed) (服务器和领域名称已更改)
Spring security config: 春季安全配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<context:property-placeholder location="file:${externalPropertiesPath}/edlgui.properties" />
<authentication-manager alias="authenticationManager">
<authentication-provider ref="kerberosAuthenticationProvider" />
</authentication-manager>
<http use-expressions="true">
<intercept-url pattern="/login.jsp" access="permitAll" />
<intercept-url pattern="/admin/**" access="hasRole('${edl.gui.authorization.requiredrole}')" />
<form-login login-page="/login.jsp" username-parameter="username" password-parameter="password" default-target-url="/admin"/>
<logout logout-url="/logout" logout-success-url="/login.jsp" />
<http-basic />
<access-denied-handler ref="edlGuiAccessDeniedHandler"/>
</http>
<beans:bean id="edlGuiAccessDeniedHandler" class="edl.security.EdlGuiAccessDeniedHandler">
<beans:constructor-arg value="/login.jsp"/>
</beans:bean>
<beans:bean id="kerberosAuthenticationProvider" class="org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider">
<beans:property name="kerberosClient">
<beans:bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient">
<beans:property name="debug" value="false" />
</beans:bean>
</beans:property>
<!-- TODO replace dummy user service -->
<beans:property name="userDetailsService" ref="ldapUserDetailsService" />
</beans:bean>
<beans:bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">
<beans:property name="debug" value="false" />
<!-- externalPropertiesPath path = /opt/pksvc/tomcat/current/conf -->
<beans:property name="krbConfLocation" value="file:${externalPropertiesPath}/krb5.conf"/>
</beans:bean>
<!-- Get User Details via LDAP -->
<!-- It would be nice to do this via Kerberos, however that requires a keytab -->
<ldap-user-service id="ldapUserDetailsService"
server-ref="activeDirectoryLdap"
user-search-base="${edl.gui.ldap.usersearchbase}"
user-search-filter="${edl.gui.ldap.usersearchfilter}"
group-search-base="${edl.gui.ldap.groupsearchbase}"
group-role-attribute="${edl.gui.ldap.grouproleattribute}"
group-search-filter="${edl.gui.ldap.groupsearchfilter}"
user-details-class="person"/>
<ldap-server id="activeDirectoryLdap"
url="${edl.gui.ldap.url}"
manager-dn="${edl.gui.ldap.managerdn}"
manager-password="${edl.gui.ldap.managerpw}"
root="${edl.gui.ldap.root}"/>
</beans:beans>
When I try to login the only thing I see from the kerberos debug output is: 当我尝试登录时,从kerberos调试输出中看到的唯一内容是:
Java config name: file:/opt/pksvc/tomcat/current/conf/krb5.conf
getRealmFromDNS: trying mycompany.de
(I would expect to see 'KrbAsReq creating message' and 'KrbKdcReq send' entries) (我希望看到“ KrbAsReq正在创建消息”和“ KrbKdcReq发送”条目)
And from spring: 从春季开始:
2015-08-04 10:07:42.986 DEBUG o.s.security.web.FilterChainProxy - /j_spring_security_check at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-08-04 10:07:42.986 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2015-08-04 10:07:42.986 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@64656737. A new one will be created.
2015-08-04 10:07:42.986 DEBUG o.s.security.web.FilterChainProxy - /j_spring_security_check at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-08-04 10:07:42.986 DEBUG o.s.security.web.FilterChainProxy - /j_spring_security_check at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2015-08-04 10:07:42.987 DEBUG o.s.security.web.FilterChainProxy - /j_spring_security_check at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2015-08-04 10:07:42.987 DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Request is to process authentication
2015-08-04 10:07:42.987 DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider
2015-08-04 10:07:42.987 DEBUG o.s.s.k.a.sun.SunJaasKerberosClient - Trying to authenticate KieselGun with Kerberos
2015-08-04 10:07:42.993 DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Kerberos authentication failed
2015-08-04 10:07:42.993 DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
2015-08-04 10:07:42.993 DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@72f106b0
2015-08-04 10:07:42.993 DEBUG o.s.s.w.a.SimpleUrlAuthenticationFailureHandler - Redirecting to /login.jsp
2015-08-04 10:07:42.993 DEBUG o.s.s.web.DefaultRedirectStrategy - Redirecting to '/edl-gui/login.jsp'
2015-08-04 10:07:42.993 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-08-04 10:07:42.994 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2015-08-04 10:07:43.042 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-08-04 10:07:43.043 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2015-08-04 10:07:43.043 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@64656737. A new one will be created.
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2015-08-04 10:07:43.044 DEBUG o.s.s.w.s.DefaultSavedRequest - pathInfo: both null (property equals)
2015-08-04 10:07:43.044 DEBUG o.s.s.w.s.DefaultSavedRequest - queryString: both null (property equals)
2015-08-04 10:07:43.044 DEBUG o.s.s.w.s.DefaultSavedRequest - requestURI: arg1=/edl-gui/admin; arg2=/edl-gui/login.jsp (property not equals)
2015-08-04 10:07:43.044 DEBUG o.s.s.w.s.HttpSessionRequestCache - saved request doesn't match
2015-08-04 10:07:43.044 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2015-08-04 10:07:43.044 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2015-08-04 10:07:43.044 DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 172.20.65.226; SessionId: F2C563CA5780A3024AE7D89390CE0AB1; Granted Authorities: ROLE_ANONYMOUS'
2015-08-04 10:07:43.044 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2015-08-04 10:07:43.044 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2015-08-04 10:07:43.045 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2015-08-04 10:07:43.045 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login.jsp'; against '/login.jsp'
2015-08-04 10:07:43.045 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /login.jsp; Attributes: [permitAll]
2015-08-04 10:07:43.045 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 172.20.65.226; SessionId: F2C563CA5780A3024AE7D89390CE0AB1; Granted Authorities: ROLE_ANONYMOUS
2015-08-04 10:07:43.045 DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@265c45f7, returned: 1
2015-08-04 10:07:43.045 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
2015-08-04 10:07:43.045 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
2015-08-04 10:07:43.045 DEBUG o.s.security.web.FilterChainProxy - /login.jsp reached end of additional filter chain; proceeding with original chain
2015-08-04 10:07:43.046 DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
2015-08-04 10:07:43.046 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-08-04 10:07:43.046 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
So it seems the user gets authenticated as anonymous, after which I get back to the login page since anonymous users have no access. 因此,似乎该用户已被认证为匿名用户,之后我又回到登录页面,因为匿名用户无权访问。
Can anyone tell me what's wrong with my configuration? 谁能告诉我我的配置出了什么问题? Or how I could further analyse this? 或者我如何进一步分析?
2 个解决方案
解决方案1
1 2015-08-05 08:33:20
I'm not sure how jdk's krb implementation differ between linux and win. 我不确定linux和win之间jdk的krb实现有何不同。 Obviously there are some differences because in linux jdk will try to find default /etc/krb5.conf and there is one other default location I don't remember right now. 显然存在一些差异,因为在Linux中,jdk会尝试查找默认的/etc/krb5.conf并且还有一个我不记得的默认位置。 I assume in win similar tweaks are in place for jdk. 我认为在获胜时,jdk也有类似的调整。 You could event temporarily rename default krb5.conf file to be sure it's not used(and getting wrong config). 您可以使用事件临时重命名默认的krb5.conf文件,以确保未使用该文件(并获取错误的配置)。
I'm shooting in dark here but let's make a random guess. 我在这里拍摄黑暗,但让我们随机猜测。 I had a lot of various type of troubles when I make all those samples but eventually got all working. 当我制作所有这些样本时,我遇到了很多麻烦,但最终都能正常工作。 At some point(in linux) when I was totally lost if failures was caused by our spring-security-kerberos libs or something to do with a kerberos settings, etc, I found it to very valuable to test kerberos settings outside of a jdk. 在某个时刻(在Linux中),如果失败是由于我们的spring-security-kerberos库或与kerberos设置等相关的原因导致我完全迷失了,我发现在jdk之外测试kerberos设置非常有价值。 See http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#troubleshooting and especially trying to connect ldapsearch from linux into AD . 请参阅http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#troubleshooting ,尤其是尝试将ldapsearch从linux连接到AD 。 You don't need to use keytabs because kinit should allow you to get ticket from AD if settings are right. 您不需要使用密钥表,因为如果设置正确,kinit应该允许您从AD获取票证。
One thing I have there is: 我有一件事是:
[realms]
EXAMPLE.ORG = {
kdc = WIN-EKBO0EQ7TS7.example.org:88
}
I believe I had this port 88 for a reason and maybe there are some different defaults linux/win jdk's if none are defined. 我相信我有这个端口88是有原因的,如果没有定义,也许会有一些不同的默认linux / win jdk。
Other think is supported enctypes if those are different used by AD and what linux jdk support. 如果AD和Linux jdk支持的使用的enctypes不同,则认为其他支持的enctypes 。 This is something you should see from jdk internal krb debug logs. 这是您应该从jdk内部krb调试日志中看到的内容。 Also if you are able to kinit against AD from linux, klist will then show key enctypes. 此外,如果你能kinit对AD从Linux, klist即可显示关键enctypes。
解决方案2
0 2015-08-05 15:22:53
I found out that in both my local environment on windows and the linux environment the krb5.conf specified in the GlobalSunJaasKerberosConfig krbConfLocation (see below) was not used. 我发现在Windows的本地环境和linux环境中,都没有使用GlobalSunJaasKerberosConfig krbConfLocation(请参见下文)中指定的krb5.conf。 Although the debug output showed this file the changes made there had no effect. 尽管调试输出显示了该文件,但所做的更改没有任何效果。 In my windows environment I had a correctly setup kerberos configuration (I still don't know where that is, I don't have a krb5.ini anywhere...) in the linux environment I did not. 在我的Windows环境中,我没有在Linux环境中正确设置了kerberos配置(我仍然不知道它在哪里,我在任何地方都没有krb5.ini ...)。 As a result kerberos failed in the linux environment. 结果,kerberos在linux环境中失败了。
I managed to workaround this by setting the environment variables java.security.krb5.realm and java.security.krb5.kdc (see https://blogs.oracle.com/wangwj/entry/kerberos_programming_on_windows ). 我设法通过设置环境变量java.security.krb5.realm和java.security.krb5.kdc解决此问题(请参阅https://blogs.oracle.com/wangwj/entry/kerberos_programming_on_windows )。 With these set kerberos authentication worked. 通过这些设置,Kerberos身份验证起作用了。
The krbConfLocation from this bean was not used: 未使用此bean的krbConfLocation:
<beans:bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">
<beans:property name="debug" value="false" />
<beans:property name="krbConfLocation" value="file:${externalPropertiesPath}/krb5.conf"/>
</beans:bean>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.