spring tomcat spring-security kerberos spnego

spring - BadCredentialsException: la validación de Kerberos no fue exitosa



tomcat spring-security (2)

Me gustaría realizar la autenticación con SPNEGO. Yo suelo:

  • spring-core-3.1.0.RELEASE.jar
  • spring-security-core-3.1.0.RELEASE.jar
  • spring-security-kerberos-core-1.0.0.M2.jar
  • paquete de códec de Spring Core Security 3.0.7 (https://jira.springsource.org/browse/SES-98)
  • gato

Mi archivo de configuración tiene el siguiente aspecto. Cuando trato de autenticar con las bibliotecas anteriores obtuve la siguiente excepción.

¿Alguien tuvo el mismo problema y lo manejó?

Archivo de configuración (tomado del ejemplo de Spring Spring Kerberos):

<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <!-- This configuration uses SPNEGO by default, but one could also use a form if he directly goes to /login.html --> <sec:http entry-point-ref="spnegoEntryPoint" use-expressions="true"> <sec:intercept-url pattern="/secure/**" access="isAuthenticated()" /> <sec:custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> <sec:form-login login-page="/login.html" default-target-url="/secure/index.jsp"/> </sec:http> <bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" /> <bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter"> <property name="authenticationManager" ref="authenticationManager" /> </bean> <sec:authentication-manager alias="authenticationManager"> <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" /> <!-- Used with SPNEGO --> <sec:authentication-provider user-service-ref="dummyUserDetailsService"/> <!-- Used with form login --> </sec:authentication-manager> <bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider"> <property name="ticketValidator"> <bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator"> <property name="servicePrincipal" value="HTTP/[email protected]" /> <!-- Setting keyTabLocation to a classpath resource will most likely not work in a Java EE application Server --> <!-- See the Javadoc for more information on that --> <property name="keyTabLocation" value="file:/home/xxxxx/conf/krb5/krb5.keytab" /> <property name="debug" value="true" /> </bean> </property> <property name="userDetailsService" ref="dummyUserDetailsService" /> </bean> <!-- This bean definition enables a very detailed Kerberos logging --> <bean class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig"> <property name="debug" value="true" /> </bean> <!-- Just returns the User authenticated by Kerberos and gives him the ROLE_USER --> <bean id="dummyUserDetailsService" class="org.springframework.security.extensions.kerberos.sample.DummyUserDetailsService" /> </beans>

Excepción que obtuve:

org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69) at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:219) at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:333) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) at java.lang.Thread.run(Thread.java:722) Caused by: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:415) at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67) ... 29 more Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:778) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871) at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146) at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136) ... 32 more Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:273) at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144) at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:761) ... 40 more

Encontré el problema. Spring-security-kerberos requiere la ruta al archivo keytab como "Cadena de recursos" (detalles: http://static.springsource.org/spring/docs/3.0.x/reference/resources.html ). Cuando configuro la ruta como "file: /home/xxxxx/conf/krb5/krb5.keytab", la aplicación se ejecuta, pero creo que no puede abrir el archivo más tarde y Kerberos no puede cargar ninguna clave. Desafortunadamente, el registro de Kerberos no es tan claro.

Cuando establecí la ruta como "/home/xxxxx/conf/krb5/krb5.keytab" obtuve la siguiente excepción

Caused by: java.io.FileNotFoundException: ServletContext resource [/home/xxxxx/conf/krb5/krb5.keytab] cannot be resolved to URL because it does not exist

La solución para este problema puede ser la corrección en el archivo SunJaasKerberosTicketValidator.java:

private String keyTabLocation; LoginConfig loginConfig = new LoginConfig(keyTabLocation, servicePrincipal, debug);

en lugar de:

private Resource keyTabLocation; LoginConfig loginConfig = new LoginConfig(keyTabLocation.getURL().toExternalForm(), servicePrincipal, debug);

Con esta solución, todo funciona. Podemos establecer la ruta al archivo en formato "/home/xxxxx/conf/krb5/krb5.keytab"

Si alguien conoce más detalles al respecto, escríbalo aquí.

Al menos Java 7 no es (o mi versión no es) capaz de manejar el prefijo "file:": Vea este enlace . Tuve que hacer la misma modificación a las fuentes Spring que tú. Gracias, esto fue útil. Perdió media semana en probar diferentes configuraciones.