Spring Security / SPNEGO身份验证问题:校验和失败
[英]Spring Security/SPNEGO authentication issue: Checksum failed
问题描述
我在Java项目中使用带有SPNEGO的Spring Security进行身份验证。 我遵循链接http://anmoljains.wordpress.com/2014/01/19/java-single-sign-on-using-spnego-and-jboss-eap-6-1-0/中说明的每个步骤,但是,当我尝试从不同于服务器的计算机上通过IE进行身份验证时,出现以下错误:
协商头部是无效的:协商YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAEu8iH + 9PA / ykFHFoL0fcG4pSiUY / 1uV4d6rsrMhDt1gQWYkR7WJ + / z5C7xHvZptngAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo =:org.springframework.security.authentication.BadCredentialsException:Kerberos的验证不succesfull ... 产生的原因:java.security.GeneralSecurityException:校验失败
这是我的applicationContext-security.xml:
<http entry-point-ref="spnegoEntryPoint" use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()"/>
<intercept-url pattern="/report" filters="none"/>
<custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"/>
<intercept-url pattern="/css/**" filters="none"/>
<intercept-url pattern="/resources/**" filters="none"/>
<intercept-url pattern="/js/**" filters="none"/>
<form-login login-page="/login" default-target-url="/report" authentication-failure-url="/accessDenied"/>
<logout logout-url=""/>
</http>
<beans:bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint"/>
<beans:bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="kerberosServiceAuthenticationProvider"/>
<authentication-provider ref="kerberosAuthenticationProvider" />
</authentication-manager>
<beans:bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
<beans:property name="ticketValidator">
<beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
<beans:property name="servicePrincipal" value="HTTP/web.team.it@team.it/>
其中userDetailsService是我对org.springframework.security.core.userdetails.UserDetailsService的实现。
这就是我生成keytab.pass的方法:
C:\\ Windows \\ System32> ktpass / out http-web.keytab / mapuser http-web.team.it@team.it / princ HTTP/pc-web.team.it@team.it / crypto AES256-SHA1 / pType KR B5_NT_PRINCIPAL -kvno 0 / pass密码01
使用Wireshark,我得到以下信息:
接受:text / html,application / xhtml + xml, /接受语言:it-IT用户代理:Mozilla / 5.0(兼容; MSIE 10.0; Windows NT 6.1; WOW64; Trident / 6.0)接受编码:gzip,压缩主机:web.team.it:8080 DNT:1个连接:保持活动的Cookie:JSESSIONID = PDY3d6UIDOARlxk92scldt8Z.undefined授权:协商YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAEu8iH + 9PA / ykFHFoL0fcG4pSiUY / 1uV4d6rsrMhDt1gQWYkR7WJ + / z5C7xHvZptngAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo =
尝试仅使用短机器名(Web而不是web.team.it)更改主体,我得到了错误:
找不到适当类型的密钥以使用HMAC SHA1-96解密AP REP-AES256 CTS模式
我正在使用Spring Security 3.0.5和spring-security-kerberos-core-1.0.0.M2.jar。 拥有这种身份验证的完整样本也将很有用。 谢谢大家。
1 个解决方案
解决方案1
0 2014-07-28 15:09:54
添加到您的krb5.conf default_tkt_enctypes = aes256-cts-hmac-sha1-96 default_tgs_enctypes = aes256-cts-hmac-sha1-96
Spring Security:如果认证失败,则重定向到登录页面
[英]Spring Security : Redirecting to login page if the authentication failed
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.