当前位置：文江博客话题详情

Kerberos spring-security spnego

spring-security-kerberos 无法读取密钥表？

发布于 2024-11-09 23:05:05 字数 2178 浏览 2 评论 0 原文

我正在尝试遵循这个 spring-security-kerberos 教程我有一个包含一个主体的密钥表：

ktutil:  rkt http-web.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3 HTTP/[email protected]

此密钥表是使用以下命令在 win 2k8 域控制器上生成的：

ktpass /out http-web.keytab /mapuser [电子邮件受保护] /princ HTTP/[email protected] /pass *

已通过 spnego.xml 中使用的测试 Web 服务器复制：

<bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
  <property name="servicePrincipal" value="HTTP/[email protected]" />
  <property name="keyTabLocation" value="/WEB-INF/http-web.keytab" />
  <property name="debug" value="true" />
</bean>

找到校长：

Key for the principal HTTP/[email protected] not available in 
jndi:/localhost/spring-security-kerberos-sample-1.0.0.CI-SNAPSHOT/WEB-INF/http-web.keytab
            [Krb5LoginModule] authentication failed 
Unable to obtain password from user

我已经尝试过了将 Web 服务器（Centos 5.5、tomcat6）加入 AD WAD.ENG.HYTRUST.COM，并可以使用 AD 凭据登录，然后使用 /etc/krb5.keytab 中的主体来查看它是否可以读取...相同回复。我还尝试了很多大写和小写名称的变体。

ps今天早上从git上查了一下。

原文

I'm trying to follow this tutorial for spring-security-kerberos
I have a keytab with one principal in it:

ktutil:  rkt http-web.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3 HTTP/[email protected]

This keytab was generated on a the win 2k8 domain controller with this command:

ktpass /out http-web.keytab /mapuser [email protected] /princ HTTP/[email protected] /pass *

which was coppied over the the test web server used in spnego.xml:

<bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
  <property name="servicePrincipal" value="HTTP/[email protected]" />
  <property name="keyTabLocation" value="/WEB-INF/http-web.keytab" />
  <property name="debug" value="true" />
</bean>

but fails to find the principal:

Key for the principal HTTP/[email protected] not available in 
jndi:/localhost/spring-security-kerberos-sample-1.0.0.CI-SNAPSHOT/WEB-INF/http-web.keytab
            [Krb5LoginModule] authentication failed 
Unable to obtain password from user

I have tried joining the web server (Centos 5.5, tomcat6) to the AD WAD.ENG.HYTRUST.COM and can login using AD credentials and then using a principal from /etc/krb5.keytab just to see if it can be read... same response. I also tried lots of variants on uppercase and lowercaseing the names.

ps checked it out from git this morning.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

蓝海似她心 2024-11-16 23:05:05

有几个错误导致“无法从用户获取密码”：

错误指定了 keytab 文件的位置（就像@jasop
指出）；它应该是这样的
classpath:http-web.keytab 或 file:c:/http-web.keytabl
错误地指定了主体名称（即主体名称
与实际生成的密钥表文件不匹配）
密钥表文件路径中的空格（请注意是否曾经出现过这种情况）
已修复），- 在 SPRING SECURITY KERBEROS/SPNEGO EXTENSION< 的评论中看到投诉/a> SpringSource 博客文章，并收到了有关我的开发环境 - Windows 7 / Java 6 的证据 - 必须始终考虑绝对路径（即使类路径引用的 keytab 没有空格）

回复收藏 0 原文

蝶…霜飞 2024-11-16 23:05:05

我有完全相同的问题。

问题是您的“keyTabLocation”设置。
您不能将其设置为 /WEB-INF/http-web.keytab

您需要将其设置为文件路径或类路径上的某些内容。

例如，我将文件放在类路径上并进行以下设置：

    <property name="keyTabLocation" value="classpath:http-web.keytab" />

I had the exact same issue.

The problem is your "keyTabLocation" setting.
You cannot set it to /WEB-INF/http-web.keytab

You need to set it to something on the file path or classpath.

For instance, I put my file on the classpath and made this setting:

    <property name="keyTabLocation" value="classpath:http-web.keytab" />

回复收藏 0 原文

治碍 2024-11-16 23:05:05

主体 HTTP/[电子邮件受保护] 不适用于

我们只是偶然发现尝试使用 SASL+Kerberos 客户端尝试对 Kafka 代理进行身份验证时出现此错误。问题是他们的 JVM 不支持高级加密密码，因此无法从密钥表中读取密钥并被默默地忽略。

解决方案是升级他们的 Java 版本，因为现代 >= Java8 版本支持 AES256 和其他更高级的密码。

我们使用以下 Java 代码来测试 AES：

/* Test to see if the current JVM supports AES > 128 */
public class UnlimitedSupportJCE {
    public static void main(final String[] args) {
        int strength = 0;
        try {
            strength = javax.crypto.Cipher.getMaxAllowedKeyLength("AES");
        } catch (java.security.NoSuchAlgorithmException e) {
            System.out.println("isUnlimitedSupported=FALSE");
        }
        if (strength > 128) {
            System.out.println("AES cipher strength is " + strength);
        } else {
            // probably not good enough for many kerberos keys
            System.out.println("Warning: AES cipher strength is only "+strength);
        }
    }
}

Key for the principal HTTP/[email protected] not available in

We just stumbled over this error when trying to work with a SASL+Kerberos client trying to authenticate against Kafka brokers. The problem was that their JVM did not support advanced encryption ciphers so the key could not be read from the keytab and was silently ignored.

The solution was to upgrade their Java version since modern >= Java8 versions support AES256 and other more advanced ciphers.

We used the following Java code to test for AES:

/* Test to see if the current JVM supports AES > 128 */
public class UnlimitedSupportJCE {
    public static void main(final String[] args) {
        int strength = 0;
        try {
            strength = javax.crypto.Cipher.getMaxAllowedKeyLength("AES");
        } catch (java.security.NoSuchAlgorithmException e) {
            System.out.println("isUnlimitedSupported=FALSE");
        }
        if (strength > 128) {
            System.out.println("AES cipher strength is " + strength);
        } else {
            // probably not good enough for many kerberos keys
            System.out.println("Warning: AES cipher strength is only "+strength);
        }
    }
}

回复收藏 0 原文

~没有更多了~