使用HTTP客户端的Kerberos连接

Question

我正在使用Kerberos身份验证编写HTTP连接。 我有“HTTP / 1.1 401 Unauthorized”。 你能推荐我应该检查一下吗？ 我认为有一些想法，但我没有看到它。

可能是我应该用“Negotiate”设置标题“WWW-Authenticate”？

非常感谢您提供任何帮助和想法。

public class ClientKerberosAuthentication {

    public static void main(String[] args) throws Exception {

        System.setProperty("java.security.auth.login.config", "login.conf");
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        System.setProperty("sun.security.krb5.debug", "true");
        System.setProperty("javax.security.auth.useSubjectCredsOnly","false");

        DefaultHttpClient httpclient = new DefaultHttpClient();
        try {
           NegotiateSchemeFactory nsf = new NegotiateSchemeFactory();
           httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);            

           List<String> authpref = new ArrayList<String>();
           authpref.add(AuthPolicy.BASIC);
           authpref.add(AuthPolicy.SPNEGO);
           httpclient.getParams().setParameter(AuthPNames.PROXY_AUTH_PREF, authpref);            


           httpclient.getCredentialsProvider().setCredentials(
                  new AuthScope(null, -1, AuthScope.ANY_REALM, AuthPolicy.SPNEGO), 
                  new UsernamePasswordCredentials("myuser", "mypass"));            

           System.out.println("----------------------------------------");
           HttpUriRequest request = new HttpGet("http://localhost:8084/web-app/webdav/213/_test.docx");
           HttpResponse response = httpclient.execute(request);
           HttpEntity entity = response.getEntity();

           System.out.println("----------------------------------------");
           System.out.println(response.getStatusLine());
           System.out.println("----------------------------------------");
           if (entity != null) {
               System.out.println(EntityUtils.toString(entity));
           }
           System.out.println("----------------------------------------");

           // This ensures the connection gets released back to the manager
           EntityUtils.consume(entity);

        } finally {
           httpclient.getConnectionManager().shutdown();
        }
    }
}

Answer 1

SPNEGO将无法工作，因为您使用localhost作为URL主机名。

您的服务器配置为从ActiveDirectory服务帐户上注册的HTTP/开始的一组SPN（或至少一个）。 您可以通过setspn -l yourServiceAccount从AD查询它们。

您的URL必须在ActiveDirectory中使用称为SPN的有效服务器主机名，以便Apache Http Client可以协商此服务的TGS并将其发送到您的服务器。

Answer 2

这是我在项目中编写的测试客户端。 此客户端依赖于在JDK上启用的所有加密类型，

如果您在日志中看到以下内容，并且您的密钥表以256位默认etypes加密，则为default_tkt_enctypes: 17 16 23 1 3.

然后下载jar http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html需要下载并置于JDK/jre/lib/security以启用AES256位加密后您应该在default_tkt_enctypes: 18 17 16 23 1 3.日志默认etypes中看到以下内容default_tkt_enctypes: 18 17 16 23 1 3.

import java.io.IOException;
import java.io.InputStream;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;

import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;

import org.apache.commons.io.IOUtils;
import org.apache.http.HttpResponse;
import org.apache.http.auth.AuthSchemeProvider;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.Credentials;
import org.apache.http.client.CookieStore;
import org.apache.http.client.HttpClient;
import org.apache.http.client.config.AuthSchemes;
import org.apache.http.client.config.CookieSpecs;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.config.Lookup;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.impl.auth.SPNegoSchemeFactory;
import org.apache.http.impl.client.BasicCookieStore;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.cookie.BasicClientCookie;

实用类

public class KerberosHttpClient {
    private String principal;
    private String keyTabLocation;

    public KerberosHttpClient() {}
    public KerberosHttpClient(String principal, String keyTabLocation) {
        super();
        this.principal = principal;
        this.keyTabLocation = keyTabLocation;
    }

    public KerberosHttpClient(String principal, String keyTabLocation, String krb5Location) {
        this(principal, keyTabLocation);
        System.setProperty("java.security.krb5.conf", krb5Location);
    }

    public KerberosHttpClient(String principal, String keyTabLocation, boolean isDebug) {
        this(principal, keyTabLocation);
        if (isDebug) {
            System.setProperty("sun.security.spnego.debug", "true");
            System.setProperty("sun.security.krb5.debug", "true");
        }
    }

    public KerberosHttpClient(String principal, String keyTabLocation, String krb5Location, boolean isDebug) {
        this(principal, keyTabLocation, isDebug);        
        System.setProperty("java.security.krb5.conf", krb5Location);
    }

    private static HttpClient buildSpengoHttpClient() {
        HttpClientBuilder builder = HttpClientBuilder.create();            
        Lookup<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create().
                register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true)).build();
        builder.setDefaultAuthSchemeRegistry(authSchemeRegistry);
        BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
        credentialsProvider.setCredentials(new AuthScope(null, -1, null), new Credentials() {
            @Override
            public Principal getUserPrincipal() {
                return null;
            }
            @Override
            public String getPassword() {
                return null;
            }
        });
        builder.setDefaultCredentialsProvider(credentialsProvider);        
        CloseableHttpClient httpClient = builder.build();
        return httpClient;
    }

    public HttpResponse callRestUrl(final String url,final String userId) {
        //keyTabLocation = keyTabLocation.substring("file://".length());
        System.out.println(String.format("Calling KerberosHttpClient %s %s %s",this.principal, this.keyTabLocation, url));
        Configuration config = new Configuration() {
            @SuppressWarnings("serial")
            @Override
            public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
                return new AppConfigurationEntry[] { new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
                        AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, new HashMap<String, Object>() {
                            {
                                put("useTicketCache", "false");
                                put("useKeyTab", "true");
                                put("keyTab", keyTabLocation);
                                //Krb5 in GSS API needs to be refreshed so it does not throw the error
                                //Specified version of key is not available
                                put("refreshKrb5Config", "true");
                                put("principal", principal);
                                put("storeKey", "true");
                                put("doNotPrompt", "true");
                                put("isInitiator", "true");
                                put("debug", "true");
                            }
                        }) };
            }
        };
        Set<Principal> princ = new HashSet<Principal>(1);
        princ.add(new KerberosPrincipal(userId));
        Subject sub = new Subject(false, princ, new HashSet<Object>(), new HashSet<Object>());
        try {
            LoginContext lc = new LoginContext("", sub, null, config);
            lc.login();
            Subject serviceSubject = lc.getSubject();
            return Subject.doAs(serviceSubject, new PrivilegedAction<HttpResponse>() {
                HttpResponse httpResponse = null;
                @Override
                public HttpResponse run() {
                    try {    
                        HttpUriRequest request = new HttpGet(url);
                        HttpClient spnegoHttpClient = buildSpengoHttpClient();
                        httpResponse = spnegoHttpClient.execute(request);
                                                return httpResponse;
                    } catch (IOException ioe) {
                        ioe.printStackTrace();
                    }
                    return httpResponse;
                }
            });
        } catch (Exception le) {
            le.printStackTrace();;
        }
        return null;
    }

    public static void main(String[] args) throws UnsupportedOperationException, IOException {
        KerberosHttpClient restTest = new KerberosHttpClient("HTTP/test@test.com",
                "file://C://Development//test.keytab", true);
        HttpResponse response = restTest.callRestUrl("http://test.com/service/employees",
                "HTTP/test@test.com");
        InputStream is = response.getEntity().getContent();
        System.out.println("Status code " + response.getStatusLine().getStatusCode());
        System.out.println(Arrays.deepToString(response.getAllHeaders()));
        System.out.println(new String(IOUtils.toByteArray(is), "UTF-8"));
    }
}

Answer 3

我有同样的问题，只是找到了你的帖子。 我为它添加了书签，以便在我修复它时发布答案。 我发布了一个链接到我的问题，有人回答了这个问题，所以如果有人通过Google发现这个问题，他们会找到答案：

当URL具有端口时，HttpClient在为AD创建SPN时出现问题。

在这里查看我的问题+答案： HttpClient检查Kerberos安全网页。 NTLM登录无效