部署 CAS 时 spnego 身份验证停止工作

【问题标题】:spnego authentication stops working when CAS deployed部署 CAS 时 spnego 身份验证停止工作
【发布时间】:2013-04-30 07:11:38
【问题描述】:

我有一个可用的 tomcat 实例,其中 tomcat-manager 小程序通过 SPNEGO 进行身份验证。 当我部署 CAS - 配置为使用 SPNEGO - 时,会发生以下情况:

  • 部署后,管理器小程序和 CAS 都按预期工作
  • tomcat 重启后,它们都不工作,都抛出异常(见下文)
  • 如果我取消部署 CAS,在 tomcat 重新启动之前,管理器小程序仍然无法工作

我假设应用程序不应该修改其他应用程序的行为,因此使用 CAS 进行身份验证是自愿的。如果这是真的,那么这种行为将是一个错误。如果不是,那么我会假设 CAS 应该替换应用程序的身份验证,在这种情况下它仍然是一个错误。 但是,我也假设我错过了一些关于 CAS/tomcat 应该如何工作的重要信息。 简而言之:这是一个需要报告的错误,和/或我应该了解更多关于 CAS/tomcat 应该如何工作(以及在哪里工作?)

尝试登录管理器小程序时出现异常:

Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.222Z tomcat http-bio-8080-exec-1 21438   192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/ HTTP/1.1" 302 -
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.301Z tomcat http-bio-8080-exec-2 21438   192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=146B55AA6642928501CA00F62409FCE8 HTTP/1.1" 401 2486
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.348Z tomcat http-bio-8080-exec-3 21438   192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=146B55AA6642928501CA00F62409FCE8 HTTP/1.1" 500 1000
Apr 30 08:57:04 s_catalina@tomcat Apr 30, 2013 6:57:03 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate
Apr 30 08:57:04 s_catalina@tomcat SEVERE: Unable to login as the service principal
Apr 30 08:57:04 s_catalina@tomcat javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.accept
Apr 30 08:57:04 s_catalina@tomcat   at javax.security.auth.login.LoginContext.init(LoginContext.java:273)
Apr 30 08:57:04 s_catalina@tomcat   at javax.security.auth.login.LoginContext.<init>(LoginContext.java:349)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:195)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
Apr 30 08:57:04 s_catalina@tomcat   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
Apr 30 08:57:04 s_catalina@tomcat   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
Apr 30 08:57:04 s_catalina@tomcat   at java.lang.Thread.run(Thread.java:722)

与 CAS 相同:

Apr 30 08:59:58 127.0.0.1/127.0.0.1 1 2013-04-30T06:59:58.104Z tomcat http-bio-8080-exec-4 21438   192.168.1.10 - - [30/Apr/2013:06:59:58 +0000] "GET /cas/ HTTP/1.1" 302 -
Apr 30 08:59:58 127.0.0.1/127.0.0.1 1 2013-04-30T06:59:58.937Z tomcat http-bio-8080-exec-5 21438   192.168.1.10 - - [30/Apr/2013:06:59:58 +0000] "GET /cas/login HTTP/1.1" 401 954
Apr 30 08:59:59 s_catalina@tomcat 2013-04-30 06:59:58,761 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /cas/>
Apr 30 08:59:59 s_catalina@tomcat jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 s_catalina@tomcat   at jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
Apr 30 08:59:59 s_catalina@tomcat   at jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
Apr 30 08:59:59 s_catalina@tomcat   at jcifs.spnego.Authentication.process(Authentication.java:235)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHandler.java:70)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostProcessingAuthenticationHandler.java:85)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody3$advice(AbstractPreAndPostProcessingAuthenticationHandler.java:57)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:1)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticateAndObtainPrincipal(AuthenticationManagerImpl.java:93)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody0(AbstractAuthenticationManager.java:57)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody1$advice(AbstractAuthenticationManager.java:57)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:1)
Apr 30 08:59:59 s_catalina@tomcat   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

[... 149 more]

Apr 30 08:59:59 s_catalina@tomcat Caused by: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 s_catalina@tomcat   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Apr 30 08:59:59 s_catalina@tomcat   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
Apr 30 08:59:59 s_catalina@tomcat   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Apr 30 08:59:59 s_catalina@tomcat   at java.lang.reflect.Method.invoke(Method.java:601)
Apr 30 08:59:59 s_catalina@tomcat   at jcifs.spnego.Authentication$ServerAction.run(Authentication.java:511)
Apr 30 08:59:59 s_catalina@tomcat   at jcifs.spnego.Authentication.processKerberos(Authentication.java:430)
Apr 30 08:59:59 s_catalina@tomcat   ... 160 more
Apr 30 08:59:59 s_catalina@tomcat Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:81)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
Apr 30 08:59:59 s_catalina@tomcat   ... 166 more
Apr 30 08:59:59 s_catalina@tomcat Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication 
Apr 30 08:59:59 s_catalina@tomcat   at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:796)
Apr 30 08:59:59 s_catalina@tomcat   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:667)
Apr 30 08:59:59 s_catalina@tomcat   at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580)
Apr 30 08:59:59 s_catalina@tomcat   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Apr 30 08:59:59 s_catalina@tomcat   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
Apr 30 08:59:59 s_catalina@tomcat   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Apr 30 08:59:59 s_catalina@tomcat   at java.lang.reflect.Method.invoke(Method.java:601)
Apr 30 08:59:59 s_catalina@tomcat   at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
Apr 30 08:59:59 s_catalina@tomcat   at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
Apr 30 08:59:59 s_catalina@tomcat   at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
Apr 30 08:59:59 s_catalina@tomcat   at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
Apr 30 08:59:59 s_catalina@tomcat   at java.security.AccessController.doPrivileged(Native Method)
Apr 30 08:59:59 s_catalina@tomcat   at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
Apr 30 08:59:59 s_catalina@tomcat   at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.GSSUtil.login(GSSUtil.java:255)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:334)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:76)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:74)
Apr 30 08:59:59 s_catalina@tomcat   at java.security.AccessController.doPrivileged(Native Method)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:73)
Apr 30 08:59:59 s_catalina@tomcat   ... 171 more
Apr 30 08:59:59 s_catalina@tomcat 2013-04-30 06:59:59,163 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler failed authenticating unknown>
Apr 30 08:59:59 s_catalina@tomcat 2013-04-30 06:59:59,171 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Apr 30 08:59:59 s_catalina@tomcat =============================================================
Apr 30 08:59:59 s_catalina@tomcat WHO: unknown
Apr 30 08:59:59 s_catalina@tomcat WHAT: supplied credentials: unknown
Apr 30 08:59:59 s_catalina@tomcat ACTION: AUTHENTICATION_FAILED
Apr 30 08:59:59 s_catalina@tomcat APPLICATION: CAS
Apr 30 08:59:59 s_catalina@tomcat WHEN: Tue Apr 30 06:59:59 GMT 2013
Apr 30 08:59:59 s_catalina@tomcat CLIENT IP ADDRESS: 192.168.1.10
Apr 30 08:59:59 s_catalina@tomcat SERVER IP ADDRESS: 192.168.1.29
Apr 30 08:59:59 s_catalina@tomcat =============================================================
Apr 30 08:59:59 s_catalina@tomcat >
Apr 30 08:59:59 s_catalina@tomcat 2013-04-30 06:59:59,174 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Apr 30 08:59:59 s_catalina@tomcat =============================================================
Apr 30 08:59:59 s_catalina@tomcat WHO: unknown
Apr 30 08:59:59 s_catalina@tomcat WHAT: :jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 s_catalina@tomcat ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
Apr 30 08:59:59 s_catalina@tomcat APPLICATION: CAS
Apr 30 08:59:59 s_catalina@tomcat WHEN: Tue Apr 30 06:59:59 GMT 2013
Apr 30 08:59:59 s_catalina@tomcat CLIENT IP ADDRESS: 192.168.1.10
Apr 30 08:59:59 s_catalina@tomcat SERVER IP ADDRESS: 192.168.1.29
Apr 30 08:59:59 s_catalina@tomcat =============================================================
Apr 30 08:59:59 s_catalina@tomcat >

【问题讨论】:

    标签: tomcat tomcat7 kerberos cas spnego


    【解决方案1】:

    您的 jaas.conf 似乎写错了。例外

    javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.accept

    基本上意味着您的 jaas.conf 中缺少条目。在 tomcat/conf 文件夹中,您必须编写/修改 jaas.conf

    示例模块如下(将其附加到现有的 jaas.conf):-

    com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="YOUR PRINCIPAL ASSOCIATED WITH KEYTAB"
useKeyTab=true
keyTab="CORRECT KEYTAB FILE"
storeKey=true
debug=true;
};

    这当然是假设您有一个用于服务器端的密钥表。这还假设您没有在 cas 部署中手动指定自定义 jaas.conf(也可以有一些其他名称)。如果是自定义部署,请将此条目附加到自定义 jaas.conf

    我假设(这里我可能错了)cas 是客户。在这种情况下,您需要在其默认的 jaas.conf 中指定一个 com.sun.security.jgss.krb5.initiate 模块(我不知道它的位置在哪里或应该在哪里)。因为您可以通过以下方式使用 SSO(单一签名身份验证):-

    useTicketCache=true

    并声明 useKeyTab=false,这应该会获取您的默认凭据并生成一个主体名称。

    如果仍然有问题,请在 tomcat 和 cas 安装中提供所有 *.conf 文件的输出

    【讨论】:

    • 我相信我的 jaas.conf 是正确的。如果没有部署 CAS,SPNEGO 确实可以工作。 'git diff 0a9330fd0758e6a19a6491b1e191651623408a89 -- tomcat7 default/tomcat7' 的输出是paste.ubuntu.com/5626376 git diff 3d44888d193d541d97d8410db1c5320fd8d734ab -- share/tomcat7 的输出是
    • 困扰我的是您在 jaas 领域中将 appname 指定为“PortalRealm”,而您在任何 jaas.conf 中都没有这样的条目。我不知道这是否会解决您的问题,但您可以尝试两件事。首先在 tomcat jaas.conf 中使用 Portal Realm 和 isInitiatore=false 定义一个条目。其次设置选项 -Djava.security.auth.login.config="your path",以确保 cas 在启动过程中没有设置其他 jaas 文件
    • 我想我找到了问题所在。我正在尝试我的 tomcat 并试图重现该问题。 JAAS 领域仅在客户端尝试访问它时才被调用(在您的情况下是 cas)。按照以下格式在您的 tomcat jaas.conf 中写入一个条目:- PortalRealm{ com.sun.security.auth.module.Krb5LoginModule required ... };并用您在接受条目中指定的相同选项填写它
    猜你喜欢
    • 2018-09-28
    • 2017-06-16
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2010-12-10
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode