从通过 kerberos keytab 进行身份验证的 java 应用程序在远程服务器上执行脚本

发布于 2024-10-10 10:33:27 字数 220 浏览 0 评论 0原文

这很可能已经得到了较早的回答，但我所有的搜索都没有给我一个明确的答案。我所拥有的是一个 Java 应用程序，当前使用 ssh 密钥在远程计算机上运行脚本并保存结果。我正在将其更改为使用密钥表的 Kerberos 身份验证。我已经设置了密钥表并使用 perl 脚本对其进行了测试。如果有人可以向我指出一些示例，告诉我如何在 Java 应用程序中使用 kerberos keytab，那将非常有帮助。

谢谢，基兰

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

那支青花 2024-10-17 10:33:27

下面是在 Java 中使用 keytab 的完整实现。

import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.security.Principal;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;

public class SecurityUtils {
    public static class LoginConfig extends Configuration {
        private String keyTabLocation;
        private String servicePrincipalName;
        private boolean debug;

        public LoginConfig(String keyTabLocation, String servicePrincipalName, boolean debug) {
            this.keyTabLocation = keyTabLocation;
            this.servicePrincipalName = servicePrincipalName;
            this.debug = debug;
        }

        @Override
        public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
            HashMap<String, String> options = new HashMap<String, String>();
            options.put("useKeyTab", "true");
            options.put("keyTab", this.keyTabLocation);
            options.put("principal", this.servicePrincipalName);
            options.put("storeKey", "true");
            options.put("doNotPrompt", "true");
            if (this.debug) {
                options.put("debug", "true");
            }
            options.put("isInitiator", "false");

            return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
                    AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options),};
        }
    }

    public static Subject loginAs(String keyTabLocation, String servicePrincipal) {
        try {
            LoginConfig loginConfig = new LoginConfig(keyTabLocation, servicePrincipal, true);
            Set<Principal> princ = new HashSet<Principal>(1);
            princ.add(new KerberosPrincipal(servicePrincipal));
            Subject sub = new Subject(false, princ, new HashSet<Object>(), new HashSet<Object>());
            LoginContext lc;
            lc = new LoginContext("", sub, null, loginConfig);
            lc.login();
            return lc.getSubject();
        } catch (LoginException e) {
            e.printStackTrace();
        }
        return null;
    }
}

loginAs 方法将返回一个可用于执行特权操作的主题：

result = Subject.doAs(subject,
        new PrivilegedExceptionAction<NamingEnumeration<SearchResult>>() {
            public NamingEnumeration<SearchResult> run() throws NamingException {
                return context.search(directoryBase, filterBuilder.toString(), searchCtls);
            }
        });

Here's a full implementation of using a keytab in Java.

import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.security.Principal;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;

public class SecurityUtils {
    public static class LoginConfig extends Configuration {
        private String keyTabLocation;
        private String servicePrincipalName;
        private boolean debug;

        public LoginConfig(String keyTabLocation, String servicePrincipalName, boolean debug) {
            this.keyTabLocation = keyTabLocation;
            this.servicePrincipalName = servicePrincipalName;
            this.debug = debug;
        }

        @Override
        public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
            HashMap<String, String> options = new HashMap<String, String>();
            options.put("useKeyTab", "true");
            options.put("keyTab", this.keyTabLocation);
            options.put("principal", this.servicePrincipalName);
            options.put("storeKey", "true");
            options.put("doNotPrompt", "true");
            if (this.debug) {
                options.put("debug", "true");
            }
            options.put("isInitiator", "false");

            return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
                    AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options),};
        }
    }

    public static Subject loginAs(String keyTabLocation, String servicePrincipal) {
        try {
            LoginConfig loginConfig = new LoginConfig(keyTabLocation, servicePrincipal, true);
            Set<Principal> princ = new HashSet<Principal>(1);
            princ.add(new KerberosPrincipal(servicePrincipal));
            Subject sub = new Subject(false, princ, new HashSet<Object>(), new HashSet<Object>());
            LoginContext lc;
            lc = new LoginContext("", sub, null, loginConfig);
            lc.login();
            return lc.getSubject();
        } catch (LoginException e) {
            e.printStackTrace();
        }
        return null;
    }
}

The loginAs method will return you a Subject which can be used to execute a privileged action:

result = Subject.doAs(subject,
        new PrivilegedExceptionAction<NamingEnumeration<SearchResult>>() {
            public NamingEnumeration<SearchResult> run() throws NamingException {
                return context.search(directoryBase, filterBuilder.toString(), searchCtls);
            }
        });

回复收藏 0 原文

~没有更多了~