当客户端和服务器在同一台机器上时,Kerberos 身份验证未运行

【问题标题】:Kerberos authentication not running when client and server on same machine当客户端和服务器在同一台机器上时,Kerberos 身份验证未运行
【发布时间】:2013-07-16 08:33:36
【问题描述】:

尝试从运行 jboss 服务器的同一台机器访问应用程序时出现以下错误

  org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull       at     org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)        at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
    at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:120)         at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
    at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)

    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:662)
Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G
SSHeader did not find the right tag)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:396)
    at   org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJ

当客户端和服务器都在同一台输入代码的机器上时,有什么方法可以让它工作吗?我在Win7上使用IE9,如何确认token是NTLM而不是kerberos?

【问题讨论】:

    标签: java spring-security single-sign-on kerberos spnego


    【解决方案1】:

    在这种情况下,IE 和所有使用 SSPI 的浏览器默认发送 NTLM 令牌。

    Are the client and server on the same box?。该问题在MS's knowledge base 中进行了描述,并提供了可能的解决方案。

    【讨论】:

    • 它是用于内网应用的,不幸的是只使用了IE,有没有办法绕过身份验证?
    • 没有我所知道的。也许其他人知道得更好。
    • 我正在尝试使用 Firefox 并收到 401 错误,我正在尝试进行 kerberos 身份验证。从 Java Test 类调用时它工作正常,所以它与某些浏览器设置有关?如何配置浏览器进行 kerberose 身份验证
    • 你必须启用它,about:config > network.negotiate-auth.trusted-urisnetwork.negotiate-auth.delegation-uris
    • 感谢 Michael,进行了更改,Firefox 现在正在尝试进行身份验证,但出现与 IE 中相同的错误原因:java.security.PrivilegedActionException:GSSException:检测到有缺陷的令牌(机制级别:GSSHeader 没有找到正确的标签),是否有其他浏览器设置使其适用于 Jboss AS 在本地运行的本地主机/机器名称?
    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 2022-10-05
    • 2011-11-04
    • 2012-08-28
    • 1970-01-01
    • 1970-01-01
    • 2023-03-18
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode