问题:
Spring Security Win Auth示例没有正确地进行身份验证--当keytab文件显然被传入并被确认时,表示为null
越琦
我已经下载并尝试测试了Spring Security扩展的sec-server-win-auth示例应用程序。我执行了以下步骤:
- 下载并构建spring-security-Kerberos-master项目。
- 将sec-server-win-auth-1.0.0.build-snapshot.jar取出到PROD服务器上的文件夹中。
- 使用我的自定义信息在同一个文件夹中创建一个新的application.yml
- 在我的测试域控制器上创建一个tomcat.keytab,名为dc.
- 将tomcat.keytab文件复制到我的PROD服务器。
- 运行java-jar sec-server-win-auth-1.0.0.build-snapshot.jar
- 在单独的客户端CLIENT1上打开IE并转到http://prod:8080/
此时,我看到了对Kerberos协商标头的请求和带有该标头的响应。它说它是有效的,并试图验证它,但我得到以下错误。“无法从用户获取密码”
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is HTTP/DC.domain.local@DOMAI
N.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Key for the principal HTTP/DC.domain.local@DOMAIN.LOCAL not available in default key tab
[Krb5LoginModule] authentication failed
Unable to obtain password from user
如果我进一步查看日志流,我可以看到keytab文件正在从application.yml正确传入并加载。
useKeyTab=true, keyTab=c:/kerberos/tomcat.keytab, debug=true, doNotPrompt=true}
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is c:/kerberos/tomcat.keytab refreshKrb5Config is false principal is HTTP
/DC.domain.local@DOMAIN.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is HTTP/DC.domain.local@DOMAIN.LOCAL
Will use keytab
Commit Succeeded
我不确定为什么我的keytab会变成null。有人能解释一下吗?
INFO 4564 --- [ main] demo.app.Application : Starting Application v1.0.0.BUILD-SNAPSHOT on PROD with PID 4564 (C:\kerberos\sec-server-win-auth-1.
0.0.BUILD-SNAPSHOT.jar started by tc01 in c:\kerberos)
INFO 4564 --- [ main] ationConfigEmbeddedWebApplicationContext : Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@5
6459b78: startup date [Fri Mar 27 23 EDT 2015]; root of context hierarchy
INFO 4564 --- [ main] o.s.b.f.s.DefaultListableBeanFactory : Overriding bean definition for bean 'beanNameViewResolver': replacing [Root bean: class [null]; scop
e=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration$White
labelErrorViewConfiguration; factoryMethodName=beanNameViewResolver; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [org/springframework/boot/autoconfigure/web/Error
MvcAutoConfiguration$WhitelabelErrorViewConfiguration.class]] with [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=
false; factoryBeanName=org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration$WebMvcAutoConfigurationAdapter; factoryMethodName=beanNameViewResolver; initMethodName=null; destroyMethodName
=(inferred); defined in class path resource [org/springframework/boot/autoconfigure/web/WebMvcAutoConfiguration$WebMvcAutoConfigurationAdapter.class]]
INFO 4564 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration' of type [c
lass org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration$$EnhancerBySpringCGLIB$$c6bd8b6a] is not eligible for getting processed by all BeanPostProcessors (for example:
not eligible for auto-proxying)
INFO 4564 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'transactionAttributeSource' of type [class org.springframework.transaction.annotation.Annotati
onTransactionAttributeSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
INFO 4564 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'transactionInterceptor' of type [class org.springframework.transaction.interceptor.Transaction
Interceptor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
INFO 4564 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.config.internalTransactionAdvisor' of type [class org.springfr
amework.transaction.interceptor.BeanFactoryTransactionAttributeSourceAdvisor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
INFO 4564 --- [ main] s.b.c.e.t.TomcatEmbeddedServletContainer : Tomcat initialized with port(s): 8080 (http)
INFO 4564 --- [ main] o.apache.catalina.core.StandardService : Starting service Tomcat
INFO 4564 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet Engine: Apache Tomcat/8.0.15
INFO 4564 --- [ost-startStop-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
INFO 4564 --- [ost-startStop-1] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 2543 ms
WARN 4564 --- [ost-startStop-1] o.s.s.e.k.SunJaasKerberosTicketValidator : Initial Keytab location is:file:/c:/kerberos/tomcat.keytab
WARN 4564 --- [ost-startStop-1] o.s.s.e.k.SunJaasKerberosTicketValidator : Your keytab starts with file:. Stripping it from path for Java 7 compatibility. TP
WARN 4564 --- [ost-startStop-1] o.s.s.e.k.SunJaasKerberosTicketValidator : Loading Keytab file from the following path: c:/kerberos/tomcat.keytab
WARN 4564 --- [ost-startStop-1] o.s.s.e.k.SunJaasKerberosTicketValidator : loginConfig data is:{isInitiator=false, storeKey=true, principal=HTTP/DC.domain.local@DOMAIN.LOCAL,
useKeyTab=true, keyTab=c:/kerberos/tomcat.keytab, debug=true, doNotPrompt=true}
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is c:/kerberos/tomcat.keytab refreshKrb5Config is false principal is HTTP
/DC.domain.local@DOMAIN.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is HTTP/DC.domain.local@DOMAIN.LOCAL
Will use keytab
Commit Succeeded
INFO 4564 --- [ost-startStop-1] o.s.s.e.k.c.KerberosLdapContextSource : URL 'ldap://DC.DOMAIN.LOCAL/', root DN is ''
DEBUG 4564 --- [ost-startStop-1] o.s.l.c.support.AbstractContextSource : AuthenticationSource not set - using default implementation
INFO 4564 --- [ost-startStop-1] o.s.l.c.support.AbstractContextSource : Property 'userDn' not set - anonymous context will be used for read-write operations
DEBUG 4564 --- [ost-startStop-1] o.s.l.c.support.AbstractContextSource : Using LDAP pooling.
DEBUG 4564 --- [ost-startStop-1] o.s.l.c.support.AbstractContextSource : Trying provider Urls: ldap://DC.DOMAIN.LOCAL/
DEBUG 4564 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for org.springframework.security.config.annotation
.web.configurers.PermitAllSupport$ExactUrlRequestMatcher@4f38d17a
DEBUG 4564 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for org.springframework.security.config.annotation
.web.configurers.PermitAllSupport$ExactUrlRequestMatcher@1b40c938
DEBUG 4564 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for org.springframework.security.config.annotation
.web.configurers.PermitAllSupport$ExactUrlRequestMatcher@3a5a8982
DEBUG 4564 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for Ant [pattern='/logout', POST]
DEBUG 4564 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for org.springframework.security.config.annotation
.web.configurers.PermitAllSupport$ExactUrlRequestMatcher@cbbe2cf
DEBUG 4564 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for Ant [pattern='/']
DEBUG 4564 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for Ant [pattern='/home']
DEBUG 4564 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'authenticated', for org.springframework.security.web.util.matc
her.AnyRequestMatcher@1
DEBUG 4564 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor : Validated configuration attributes
DEBUG 4564 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor : Validated configuration attributes
INFO 4564 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.sprin
gframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@5c5a072a, org.springframework.security.web.context.SecurityContextPersistenceFilter@71142e50, org.springframework.securit
y.web.header.HeaderWriterFilter@709820cd, org.springframework.security.web.csrf.CsrfFilter@17fdb097, org.springframework.security.web.authentication.logout.LogoutFilter@653c5652, org.springframework.s
ecurity.web.authentication.UsernamePasswordAuthenticationFilter@6a5b07f2, org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter@1a8c85c4, org.springframework.securi
ty.web.savedrequest.RequestCacheAwareFilter@4c3d80e9, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@11e86f65, org.springframework.security.web.authentication.Anon
ymousAuthenticationFilter@7fa21479, org.springframework.security.web.session.SessionManagementFilter@40d2c946, org.springframework.security.web.access.ExceptionTranslationFilter@72b368f3, org.springfr
amework.security.web.access.intercept.FilterSecurityInterceptor@1ed5eb39]
INFO 4564 --- [ost-startStop-1] o.s.b.c.e.ServletRegistrationBean : Mapping servlet: 'dispatcherServlet' to [/]
INFO 4564 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'characterEncodingFilter' to: [/*]
INFO 4564 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'springSecurityFilterChain' to: [/*]
INFO 4564 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'spnegoAuthenticationProcessingFilter' to: [/*]
INFO 4564 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
DEBUG 4564 --- [ost-startStop-1] k.w.SpnegoAuthenticationProcessingFilter : Initializing filter 'spnegoAuthenticationProcessingFilter'
DEBUG 4564 --- [ost-startStop-1] k.w.SpnegoAuthenticationProcessingFilter : Filter 'spnegoAuthenticationProcessingFilter' configured successfully
DEBUG 4564 --- [ost-startStop-1] o.s.security.web.FilterChainProxy : Initializing filter 'springSecurityFilterChain'
DEBUG 4564 --- [ost-startStop-1] o.s.security.web.FilterChainProxy : Filter 'springSecurityFilterChain' configured successfully
INFO 4564 --- [ main] s.w.s.m.m.a.RequestMappingHandlerAdapter : Looking for @ControllerAdvice: org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWeb
ApplicationContext@56459b78: startup date [Fri Mar 27 23 EDT 2015]; root of context hierarchy
INFO 4564 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/error],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public or
g.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> org.springframework.boot.autoconfigure.web.BasicErrorController.error(javax.servlet.http.HttpServletRequest)
INFO 4564 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/error],methods=[],params=[],headers=[],consumes=[],produces=[text/html],custom=[]}" onto
public org.springframework.web.servlet.ModelAndView org.springframework.boot.autoconfigure.web.BasicErrorController.errorHtml(javax.servlet.http.HttpServletRequest)
INFO 4564 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/hello] onto handler of type [class org.springframework.web.servlet.mvc.Parameteriz
ableViewController]
INFO 4564 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/home] onto handler of type [class org.springframework.web.servlet.mvc.Parameteriza
bleViewController]
INFO 4564 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/login] onto handler of type [class org.springframework.web.servlet.mvc.Parameteriz
ableViewController]
INFO 4564 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Root mapping to handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewContro
ller]
INFO 4564 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceH
ttpRequestHandler]
INFO 4564 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/webjars/**] onto handler of type [class org.springframework.web.servlet.resource.R
esourceHttpRequestHandler]
INFO 4564 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/**/favicon.ico] onto handler of type [class org.springframework.web.servlet.resour
ce.ResourceHttpRequestHandler]
INFO 4564 --- [ main] o.s.j.e.a.AnnotationMBeanExporter : Registering beans for JMX exposure on startup
INFO 4564 --- [ main] s.b.c.e.t.TomcatEmbeddedServletContainer : Tomcat started on port(s): 8080 (http)
INFO 4564 --- [ main] demo.app.Application : Started Application in 5.523 seconds (JVM running for 6.365)
INFO 4564 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet'
INFO 4564 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started
INFO 4564 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 32 ms
DEBUG 4564 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /hello at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFil
ter'
DEBUG 4564 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /hello at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFil
ter'
DEBUG 4564 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
DEBUG 4564 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG 4564 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /hello at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 4564 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web
.header.writers.HstsHeaderWriter$SecureRequestMatcher@33baf8cf
DEBUG 4564 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /hello at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG 4564 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /hello at position 5 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG 4564 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /hello' doesn't match 'POST /logout
DEBUG 4564 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /hello at position 6 of 13 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticatio
nFilter'
DEBUG 4564 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /hello' doesn't match 'POST /login
DEBUG 4564 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /hello at position 7 of 13 in additional filter chain; firing Filter: 'SpnegoAuthenticationProcessin
gFilter'
DEBUG 4564 --- [nio-8080-exec-1] k.w.SpnegoAuthenticationProcessingFilter : Received Negotiate Header for request http://prod:8080/hello: Negotiate YIIGPwYGKwYBBQUCoIIGMzCCBi+g
MDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBfkEggX1YIIF8QYJKoZIhvcSAQICAQBuggXgMIIF3KADAgEFoQMCAQ6iBwMFACAAAACjggRkYYIEYDCCBFygAwIBBaEOGwxET01BSU4uTE9DQUyiJDAioAMCAQKhGzAZGwRI
VFRQGxFwcm9kLmRvbWFpbi5sb2NhbKOCBB0wggQZoAMCARehAwIBBqKCBAsEggQHvjMpkhlvwPjCmBCH09gyPQoTR4eydq69R6YizJKFZcN8BmEW0p1lS2So0FGxZflvRALL0Ev2+ME0Jub6QJ3bEDyr2XsRWeDViJbFIM5BDLc0F5qKdIj65Nw/ltB7fr/aWSOwpI/b
a1vQzUeLEnRzBAbkN23r+SETz7Yjgygof3BMr6DjmHWPWtogOchkkqCtz4o5WFXWpbWDKtXLKhV2BzHHE7aMVhGhLokMhn1cP3YI/0k7R/9zoILt53PIaK05MWF3k6mdPSFCkMd+BAkpVEIYQ8sSC/83UtsXU7ndGNfQuq5096nlsx2hP7Mk3qR/vGha2KO82DcEFSB0
lnRNel5wXw3wAfjzp3D2p62a/cnc9/ZqzMBfqjgZbDg9uBT0O41rGgHZX+acRvudcZBk2MQbWg9BSrthSZYDFgoS1gsTDusEsBpQc42mKHRTboMHpTRB9hoF3BD+MJeaTHAj2r0puLNJlATOMtqvFEJ+FQBN1yJikiFhG8OdBpahGAll9oVhThtwVj7M8weygDFDagCj
6lqIMKtpacaDEPmk2dmRNYPi64/tT6lx5fGmcxoL+Z3gIK5+oLlv6EnfR5PT6lKErgzbtuYc+gHMzZuztKNIEqFk6pjeXXnOKDB2P3XOyeP6rbdvnZ5MTJDhlVOsrOjh2giYTgjVj8Z+U0dJlkK0V3XHkz5VVg3IQobdyhxXxbkPBvXqOvaeDB+abQvnq1VIap5P7xGi
G3MUBMFBBVKdyVyGRcYnr6qp458GsOxZ06pGUE8pWiu+1vh3uT9qYSG0JJKULQvZLPEdKyaK2Dck4etgYuLk5odaT2bBDTqW2DA3NKxZpmCicTtHtfyJGMthp74uvpnD0iif+4S94pa7CkPwWv0jk8aOiQ3QHOZ7M2uGix7OCS2KHraVOD7BocqhgksTgAL/VLdKtjSy
saEkp3pSlkDLNnn9DwsYtno7trIDRIF1K0v8N0BdM8D7DS+J2KY7X4xs7giUYSPZjwflyoRruSrhRSnuiEv9RrIpZT6uhIMmz+2QOiKKqQBTiyEo27u+ztCjakX+qencMx6hxr7CogP28fQWNKISI2sRpgEhn7X/eVijqmnuDkBVGTgYkv7nTD6PWP6rhsaMoMvBIKwr
55ga1Tq0RRwpAUHO3+k7bqqsMuqoTouVN9pmP7xFPOwU7nP7oTApypbegtPVsxGrOeADpPcYNX3rxH1mq6N4gs5+BKhHa63ddbFcLbjb2GKcT5VrY4OLjVuCwEO1X5GSQwbhvXXu+lf1SWlc0Uvapu7CyU0fgLFan6jbTUaj4n7k1jz+RyFo2BSg2AWSgVCP3b/13F9b
DqgpEyVDh0507PxH3KNU7eB8pXht1eS9tTghAzGkggFdMIIBWaADAgEXooIBUASCAUy3vlYBZVSaqNUbw7VGO3YQlDV+Iw3+WnAnwcEXkt34PI95jOk3+Z/uHd6h2dAYo2qNHmXwX0S/p4BVnyEak5azsDxPbQKCKS6rzfYQmgSMx9PT9NYKR8rVyEHAjgW2/ajkSS8s
AnDNfsbkmKGKrKukEDAoJ7ij+S5f3HQ6NMeu+pF54ZFQ403Gby/cPFfQ6Jl96p1dsiF3v2p6AB7F5xQV6rd4G5R+cEqK/g77VQV7U0Jfj2qWgTXDwgjHuzuRFzdlNIMp+CBR0uyqH1c2nVugmkZMqwbBXULSQgGIKF6Vfo3WMACThjm0oUV0Xqz2/MCNgD7SfjEVIc7w
xWH+aUjBSGKWcxe+tUsULa0saYBXxI6MKJVM/tuyj6vAXFTTaGFWEJlWaPGe3TVaaCx7u3Dz2ih0SUtaBQlf1kvHwclHUe89BSVLYATXTV5dFA==
DEBUG 4564 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.extensions.kerberos.KerberosServiceAuthent
icationProvider
DEBUG 4564 --- [nio-8080-exec-1] .k.KerberosServiceAuthenticationProvider : Try to validate Kerberos Token
DEBUG 4564 --- [nio-8080-exec-1] .k.KerberosServiceAuthenticationProvider : Succesfully validated spectrum@DOMAIN.LOCAL
DEBUG 4564 --- [nio-8080-exec-1] o.s.s.l.s.FilterBasedLdapUserSearch : Searching for user 'spectrum@DOMAIN.LOCAL', with user search [ searchFilter: '(| (userPrincipalName=
{0}) (sAMAccountName={0}))', searchBase: 'CN=Users,DC=domain,DC=local', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is HTTP/DC.domain.local@DOMAI
N.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Key for the principal HTTP/DC.domain.local@DOMAIN.LOCAL not available in default key tab
[Krb5LoginModule] authentication failed
Unable to obtain password from user
DEBUG 4564 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
DEBUG 4564 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
ERROR 4564 --- [nio-8080-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.ldap.AuthenticationException: Unable to obtain password from user
; nested exception is javax.naming.AuthenticationException: Unable to obtain password from user
[Root exception is javax.security.auth.login.LoginException: Unable to obtain password from user
]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:182)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:285)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:119)
at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:138)
at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:791)
at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:194)
at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:116)
at org.springframework.security.ldap.userdetails.LdapUserDetailsService.loadUserByUsername(LdapUserDetailsService.java:38)
at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:69)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:446)
at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:145)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:85)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
<1 - snipped ->
at java.lang.Thread.run(Unknown Source)
Caused by: javax.naming.AuthenticationException: Unable to obtain password from user
at org.springframework.security.extensions.kerberos.client.KerberosLdapContextSource.login(KerberosLdapContextSource.java:143)
at org.springframework.security.extensions.kerberos.client.KerberosLdapContextSource.getDirContextInstance(KerberosLdapContextSource.java:102)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:273)
... 51 common frames omitted
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at org.springframework.security.extensions.kerberos.client.KerberosLdapContextSource.login(KerberosLdapContextSource.java:139)
... 53 common frames omitted
共有1个答案
鲜于允晨
我明白这里出了什么问题,这是我的错误。WebSecurityConfig中的sunjaaskrb5loginconfig没有作为bean创建,因此afterpropertiesset()没有被调用,因此导致了刚才报告的结果。
>
在websecurityconfig.kerberosldapcontextsource()中手动调用loginconfig.afterpropertiesset()。
或者以普通的spring方式将SunjaAskrb5LoginConfig创建为bean,并让framework调用其AfterPropertiesSet()。
我没有注意到这个问题,因为我必须在测试中使用-djava.security.krb5.conf=/path/to/krb5.ini,因为我的krb设置很复杂,而且那里有一个keytab文件的路径。
我用https://github.com/spring-projects/spring-security-kerberos/commit/f354bc29f2c6558456cfc7fbfc84d0c1b6fd0606做了一个修复,请告诉我们这是否修复了您的问题。
类似资料:
-
我正试图在Android Studio的Android Emulator中运行我的移动应用程序。当我运行应用程序时,它会提示我选择emulator实例: 当我选择一个模拟器实例时,应用程序的构建就会启动,所选的模拟器就会启动。 构建完成后,Android Studio告诉我,它正在“等待目标设备上线”,以便能够通过网桥进行身份验证。 等待了一段时间后,我没有得到RSA指纹的“允许USB调试”确认,
-
我试图按照API密钥身份验证代码从这个答案:https://stackoverflow.com/a/48448901 我创建了我的过滤器类: 然后我实现了我的安全配置: 当我用头作为请求的一部分对应用程序进行外部调用时,我得到一个403禁止响应。我可以看到过滤器从头中拉出键。这部分正在工作。 但是,不会调用authenticate()方法来检查头是否有效。我不确定我错过了什么,代码在我看来是一样的
-
问题内容: 我的项目使用Node.js和Express,但问题在于通用方法。 我们的用户全部来自FB,除FB外,我们没有其他任何身份验证。我们需要将某些操作与特定的FB用户相关联,还需要他们的令牌才能与FB通信。 目前, 我们这样做: 用户来到页面 有一些 看不见的 块:一个带有占位符,用于存储用户的化身和姓名(“已登录”),另一个带有用于触发FB登录的按钮(“已退出”) 使用FB JS SDK,
-
问题内容: 有人可以给我一个使用SSHJ进行公共密钥身份验证的示例吗?我意识到这个问题与ssh的私钥/公钥身份验证示例基本相同,但是作者的回答是指不再存在的google用户组,我是无法使其正常工作。 谢谢!菲尔 问题答案: 我们在SSHJ之上构建了overthere框架。可以连接也可以使用密钥文件进行连接。以下代码应该可以工作,但是请确保将bouncycastle库添加到类路径中。 希望能有所帮助
-
问题内容: 我试图用谷歌搜索,但是没有成功。如果我正在使用,并且我有一个用Java编写的使用者客户端,则何时确认消息?我正在使用一个包含方法的。确认是在完成之前或之后还是在其他时间发送回服务器?在此先感谢任何人都可以提供的任何帮助! 问题答案: 请检查这一个。 在模式下,确认始终是处理程序返回后隐式发生的最后一件事。通过在使用会话上指定模式,接收消息的客户端可以对保证消息的传递进行更细粒度的控制。