在 graal 中将 spnego 和 kerberos 与 gss 一起使用
[英]Use of spnego and kerberos with gss in graal
问题描述
I'm attempting to reuse some existing code which enables spnego authentication in a new Quarkus app.
我正在尝试在新的 Quarkus 应用程序中重用一些启用 spnego 身份验证的现有代码。 The Quarkus app when compiled as a standard JAR and run with OpenJDK 11 works perfectly. Quarkus 应用程序在编译为标准 JAR 并与 OpenJDK 11 一起运行时可以完美运行。 As soon as a I package it up as a native executable (on linux) I get the following exception:一旦我将 package 作为本机可执行文件(在 linux 上),我得到以下异常:
2021-05-21 17:31:17,178 ERROR [com.organisation.sec.ker.eng.gss.AbstractGssAuthenticator] (executor-thread-1) GSS error occured: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:859)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:905)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
at com.organisation.security.kerberos.engine.gss.AbstractGssAuthenticator$AuthAction.run(AbstractGssAuthenticator.java:110)
at com.organisation.security.kerberos.engine.gss.AbstractGssAuthenticator$AuthAction.run(AbstractGssAuthenticator.java:77)
at java.security.AccessController.doPrivileged(AccessController.java:147)
at javax.security.auth.Subject.doAs(Subject.java:423)
at com.organisation.security.kerberos.engine.gss.AbstractGssAuthenticator.handle(AbstractGssAuthenticator.java:49)
at com.organisation.security.kerberos.KerberosAuthenticationFilter.processAuthHeader(KerberosAuthenticationFilter.java:95)
at com.organisation.security.kerberos.KerberosAuthenticationFilter.authenticate(KerberosAuthenticationFilter.java:64)
at com.organisation.jaxrs.security.AuthenticationContainerRequestFilter.filter(AuthenticationContainerRequestFilter.java:69)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:312)
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:249)
at io.quarkus.resteasy.runtime.ResteasyFilter$ResteasyResponseWrapper.service(ResteasyFilter.java:70)
at io.quarkus.resteasy.runtime.ResteasyFilter$ResteasyResponseWrapper.sendError(ResteasyFilter.java:76)
at io.undertow.servlet.handlers.DefaultServlet.doGet(DefaultServlet.java:172)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:503)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at io.quarkus.resteasy.runtime.ResteasyFilter.doFilter(ResteasyFilter.java:31)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:63)
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:67)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:133)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:65)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:247)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:56)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:111)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:108)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at io.quarkus.undertow.runtime.UndertowDeploymentRecorder$9$1.call(UndertowDeploymentRecorder.java:587)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
at io.undertow.servlet.handlers.ServletInitialHandler.handleRequest(ServletInitialHandler.java:152)
at io.quarkus.undertow.runtime.UndertowDeploymentRecorder$1.handleRequest(UndertowDeploymentRecorder.java:119)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:290)
at io.undertow.server.DefaultExchangeHandler.handle(DefaultExchangeHandler.java:18)
at io.quarkus.undertow.runtime.UndertowDeploymentRecorder$5$1.run(UndertowDeploymentRecorder.java:413)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.util.concurrent.FutureTask.run(FutureTask.java:264)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2415)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1452)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at java.lang.Thread.run(Thread.java:834)
at org.jboss.threads.JBossThread.run(JBossThread.java:501)
at com.oracle.svm.core.thread.JavaThreads.threadStartRoutine(JavaThreads.java:519)
at com.oracle.svm.core.posix.thread.PosixJavaThreads.pthreadStartRoutine(PosixJavaThreads.java:192)
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:139)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:832)
... 67 more
I'm fairly new to Graal, and not sure what I need to add to allow this to work (or if it is even something that is currently supported).我对 Graal 还很陌生,不确定我需要添加什么才能让它工作(或者它是否是当前支持的东西)。
I did have some problems to start with nad I've enabled reflection for sun.security.provider.ConfigFile , sun.security.jgss.GSSContextImpl , sun.security.jgss.GSSManagerImpl which sorted them out, unfortunatly I'm not sure how to deal with the missing key type.我确实遇到了一些问题,我已经为sun.security.provider.ConfigFile , sun.security.jgss.GSSContextImpl , sun.security.jgss.GSSManagerImpl启用了反射,将它们整理出来,不幸的是我不确定如何处理丢失的密钥类型。
Here's an example of the code这是代码示例
final GSSManager manager = GSSManager.getInstance();
final Oid spnegoOid = new Oid(oid);
final GSSCredential serverCreds = manager.createCredential(null, GSSCredential.DEFAULT_LIFETIME, spnegoOid,
GSSCredential.ACCEPT_ONLY);
final GSSContext context = manager.createContext(serverCreds);
try
{
final byte[] outToken = context.acceptSecContext(inToken, 0, inToken.length);
1 个解决方案
解决方案1
0 2021-12-08 07:55:20
You could generate a new keytab file using /crypto ALL with the ktpass command:您可以使用/crypto ALL和ktpass命令生成一个新的密钥表文件:
ktpass /out "server.keytab" /princ HTTP/SERVER@DOMAIN /mapuser KERBEROS_SERVICEUSER /mapop set /pass PASSWORD_PLACEHOLDER /crypto ALL /ptype KRB5_NT_PRINCIPAL
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
错误:带有 SPNEGO 的 Java GSS-API:在 Kerberos 数据库中找不到服务器 (7) - Error: Java GSS-API with SPNEGO: Server not found in Kerberos database (7)
Spnego / Kerberos支持与粗麻布 - Spnego / Kerberos support with hessian
GSS-API Kerberos身份验证 - GSS-API Kerberos Authentication
使用Spnego解密kerberos票 - Decrypt kerberos ticket using Spnego
无法使用 SPNEGO Java GSS 机制编译安全认证 - Unable to compile Secure Authentication Using SPNEGO Java GSS Mechanism
在没有SPnego的情况下访问由kerberos保护的WebHDFS - Accessing kerberos secured WebHDFS without SPnego
使用 Kerberos SPNEGO 配置 Tomcat SSO - Configuring Tomcat SSO using Kerberos SPNEGO
为什么Kerberos / SPNEGO身份验证不起作用? - Why Kerberos/SPNEGO authentication doesn't work?
如何通过 GSS-API 获取 kerberos 服务票证? - How to obtain a kerberos service ticket via GSS-API?
如何使用java GSS + JAAS获得可再生的kerberos票 - How to obtain renewable kerberos tickets using java GSS+JAAS
相关标签