1

我正在尝试在 Linux 上的 Tomcat 中运行的 Java Web 应用程序中设置 kerberos 身份验证。我正在使用 spring security kerberos 扩展。我在用着:

  • jdk 1.7u75
  • spring-security-kerberos 1.0.0.RELEASE
  • 微软活动目录

在我的本地开发机器(Windows)上一切正常。但是在将应用程序部署到 linux 机器后,身份验证不再起作用。我强烈怀疑我的 Kerberos 配置有问题:

[libdefaults]
  default_realm = INT.MYCOMPANY.DE
  ccache_type=4
  kdc_tymesync=1
  forwardable=true
  proxiable=true

[realms]
  INT.MYCOMPANY.DE = {
   admin_server = xyz.mycompany.de
   kdc = xyz.mycompany.de
   }

[domain_realm]
.INT.MYCOMPANY.DE = INT.MYCOMPANY.DE
int.mycompany.de = INT.MYCOMPANY.DE
.int.mycompany.de = INT.MYCOMPANY.DE
.mycompany.de = INT.MYCOMPANY.DE
mycompany.de = INT.MYCOMPANY.DE

[logging]
#kdc = console

(服务器和域名已更改)

弹簧安全配置:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

    <context:property-placeholder location="file:${externalPropertiesPath}/edlgui.properties" />

    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="kerberosAuthenticationProvider" />
    </authentication-manager>

    <http use-expressions="true">
        <intercept-url pattern="/login.jsp" access="permitAll" />
        <intercept-url pattern="/admin/**" access="hasRole('${edl.gui.authorization.requiredrole}')" />
        <form-login login-page="/login.jsp" username-parameter="username" password-parameter="password" default-target-url="/admin"/>
        <logout logout-url="/logout" logout-success-url="/login.jsp" />
        <http-basic />
        <access-denied-handler ref="edlGuiAccessDeniedHandler"/>
    </http>

    <beans:bean id="edlGuiAccessDeniedHandler" class="edl.security.EdlGuiAccessDeniedHandler">
        <beans:constructor-arg value="/login.jsp"/>
    </beans:bean>

    <beans:bean id="kerberosAuthenticationProvider" class="org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider">
        <beans:property name="kerberosClient">
            <beans:bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient">
                <beans:property name="debug" value="false" />
            </beans:bean>
        </beans:property>
        <!-- TODO replace dummy user service -->
        <beans:property name="userDetailsService" ref="ldapUserDetailsService" />
    </beans:bean>

    <beans:bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">
        <beans:property name="debug" value="false" />
        <!-- externalPropertiesPath path = /opt/pksvc/tomcat/current/conf -->
        <beans:property name="krbConfLocation" value="file:${externalPropertiesPath}/krb5.conf"/>
    </beans:bean>

    <!-- Get User Details via LDAP -->
    <!-- It would be nice to do this via Kerberos, however that requires a keytab -->
    <ldap-user-service id="ldapUserDetailsService"
        server-ref="activeDirectoryLdap"
        user-search-base="${edl.gui.ldap.usersearchbase}"
        user-search-filter="${edl.gui.ldap.usersearchfilter}"
        group-search-base="${edl.gui.ldap.groupsearchbase}"
        group-role-attribute="${edl.gui.ldap.grouproleattribute}"
        group-search-filter="${edl.gui.ldap.groupsearchfilter}"
        user-details-class="person"/>
    <ldap-server id="activeDirectoryLdap"
        url="${edl.gui.ldap.url}"
        manager-dn="${edl.gui.ldap.managerdn}"
        manager-password="${edl.gui.ldap.managerpw}"
        root="${edl.gui.ldap.root}"/>

</beans:beans>

当我尝试登录时,我从 kerberos 调试输出中看到的唯一内容是:

Java config name: file:/opt/pksvc/tomcat/current/conf/krb5.conf
getRealmFromDNS: trying mycompany.de

(我希望看到“KrbAsReq 创建消息”和“KrbKdcReq 发送”条目)

从春天开始:

2015-08-04 10:07:42.986 DEBUG o.s.security.web.FilterChainProxy - /j_spring_security_check at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-08-04 10:07:42.986 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2015-08-04 10:07:42.986 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@64656737. A new one will be created.
2015-08-04 10:07:42.986 DEBUG o.s.security.web.FilterChainProxy - /j_spring_security_check at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-08-04 10:07:42.986 DEBUG o.s.security.web.FilterChainProxy - /j_spring_security_check at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2015-08-04 10:07:42.987 DEBUG o.s.security.web.FilterChainProxy - /j_spring_security_check at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2015-08-04 10:07:42.987 DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Request is to process authentication
2015-08-04 10:07:42.987 DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider
2015-08-04 10:07:42.987 DEBUG o.s.s.k.a.sun.SunJaasKerberosClient - Trying to authenticate KieselGun with Kerberos
2015-08-04 10:07:42.993 DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Kerberos authentication failed
2015-08-04 10:07:42.993 DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
2015-08-04 10:07:42.993 DEBUG o.s.s.w.a.UsernamePasswordAuthenticationFilter - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@72f106b0
2015-08-04 10:07:42.993 DEBUG o.s.s.w.a.SimpleUrlAuthenticationFailureHandler - Redirecting to /login.jsp
2015-08-04 10:07:42.993 DEBUG o.s.s.web.DefaultRedirectStrategy - Redirecting to '/edl-gui/login.jsp'
2015-08-04 10:07:42.993 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-08-04 10:07:42.994 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2015-08-04 10:07:43.042 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-08-04 10:07:43.043 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2015-08-04 10:07:43.043 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@64656737. A new one will be created.
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 2 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2015-08-04 10:07:43.043 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2015-08-04 10:07:43.044 DEBUG o.s.s.w.s.DefaultSavedRequest - pathInfo: both null (property equals)
2015-08-04 10:07:43.044 DEBUG o.s.s.w.s.DefaultSavedRequest - queryString: both null (property equals)
2015-08-04 10:07:43.044 DEBUG o.s.s.w.s.DefaultSavedRequest - requestURI: arg1=/edl-gui/admin; arg2=/edl-gui/login.jsp (property not equals)
2015-08-04 10:07:43.044 DEBUG o.s.s.w.s.HttpSessionRequestCache - saved request doesn't match
2015-08-04 10:07:43.044 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2015-08-04 10:07:43.044 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2015-08-04 10:07:43.044 DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 172.20.65.226; SessionId: F2C563CA5780A3024AE7D89390CE0AB1; Granted Authorities: ROLE_ANONYMOUS'
2015-08-04 10:07:43.044 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2015-08-04 10:07:43.044 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2015-08-04 10:07:43.045 DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2015-08-04 10:07:43.045 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login.jsp'; against '/login.jsp'
2015-08-04 10:07:43.045 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /login.jsp; Attributes: [permitAll]
2015-08-04 10:07:43.045 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faa3d44: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 172.20.65.226; SessionId: F2C563CA5780A3024AE7D89390CE0AB1; Granted Authorities: ROLE_ANONYMOUS
2015-08-04 10:07:43.045 DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@265c45f7, returned: 1
2015-08-04 10:07:43.045 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Authorization successful
2015-08-04 10:07:43.045 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - RunAsManager did not change Authentication object
2015-08-04 10:07:43.045 DEBUG o.s.security.web.FilterChainProxy - /login.jsp reached end of additional filter chain; proceeding with original chain
2015-08-04 10:07:43.046 DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally
2015-08-04 10:07:43.046 DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2015-08-04 10:07:43.046 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

所以看起来用户被认证为匿名,之后我回到登录页面,因为匿名用户无权访问。

谁能告诉我我的配置有什么问题?或者我该如何进一步分析?

4

2 回答 2

1

我不确定 jdk 的 krb 实现在 linux 和 win 之间有何不同。显然存在一些差异,因为在 linux jdk 中,jdk 会尝试找到默认/etc/krb5.conf位置,而我现在不记得还有另一个默认位置。我假设在 win 中对 jdk 进行了类似的调整。您可以临时重命名默认krb5.conf文件以确保它没有被使用(并且得到错误的配置)。

我在这里在黑暗中拍摄,但让我们随机猜测。当我制作所有这些样品时,我遇到了很多不同类型的麻烦,但最终一切正常。在某些时候(在 linux 中),如果失败是由我们的 spring-security-kerberos 库或与 kerberos 设置有关的东西引起的,我完全迷失了方向,我发现在 jdk 之外测试 kerberos 设置非常有价值。请参阅http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#troubleshooting,尤其是尝试ldapsearch从 linux 连接到AD. 您不需要使用 keytabs,因为如果设置正确,kinit 应该允许您从 AD 获取票证。

我有一件事是:

[realms]
EXAMPLE.ORG = {
  kdc = WIN-EKBO0EQ7TS7.example.org:88
}

我相信我有这个端口88是有原因的,如果没有定义,也许有一些不同的默认值 linux/win jdk。

enctypes如果它们使用的不同AD以及 linux jdk 支持的内容不同,则支持其他想法。这是您应该从 jdk 内部 krb 调试日志中看到的内容。此外,如果您能够从 linux进行kinit攻击,则会显示密钥 enctypes。ADklist

于 2015-08-05T08:33:20.650 回答
0

我发现在 windows 上的本地环境和 linux 环境中,都没有使用 GlobalSunJaasKerberosConfig krbConfLocation(见下文)中指定的 krb5.conf。尽管调试输出显示了这个文件,但在那里所做的更改没有任何效果。在我的 Windows 环境中,我在 linux 环境中没有正确设置 kerberos 配置(我仍然不知道那在哪里,我在任何地方都没有 krb5.ini ......)。结果kerberos在linux环境下失败了。

我设法通过设置环境变量 java.security.krb5.realm 和 java.security.krb5.kdc 来解决这个问题(参见https://blogs.oracle.com/wangwj/entry/kerberos_programming_on_windows)。使用这些设置的 kerberos 身份验证工作。

未使用此 bean 中的 krbConfLocation:

<beans:bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">
        <beans:property name="debug" value="false" />
        <beans:property name="krbConfLocation" value="file:${externalPropertiesPath}/krb5.conf"/>
    </beans:bean>
于 2015-08-05T15:22:53.133 回答