草庐IT

java - Kerberos 与 Java

coder 2024-03-21 原文

我正在尝试从 Java 登录 kerberos kdc。 但是 Java 抛出异常。 似乎登录成功,但有些东西停止登录。 我不知道为什么? 有人有解决这个问题的方法吗? 这是我的 Java 系统输出:

Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Acquire TGT from Cache
Principal is null
null credentials from Ticket Cache
                [Krb5LoginModule] user entered username: kadirb

principal is kadirb@EXAMPLE.COM
Commit Succeeded

Exception in thread "main" java.lang.Error: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)
        at KerberosTicketRetriever$TicketCreatorAction.run(KerberosTicketRetriever.java:76)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:473)
        at KerberosTicketRetriever.retrieveTicket(KerberosTicketRetriever.java:179)
        at KerberosTicketRetriever.main(KerberosTicketRetriever.java:188)
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:710)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
        at KerberosTicketRetriever$TicketCreatorAction.createTicket(KerberosTicketRetriever.java:105)
        at KerberosTicketRetriever$TicketCreatorAction.run(KerberosTicketRetriever.java:72)
        ... 4 more
Caused by: KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192)
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:311)
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:115)
        at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:442)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:641)
        ... 8 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:66)
        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:61)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
        ... 14 more
Disconnected from the target VM, address: '127.0.0.1:51126', transport: 'socket'

Process finished with exit code 1

还有我的java代码:

import com.sun.security.auth.callback.DialogCallbackHandler;
import org.ietf.jgss.*;
import sun.misc.BASE64Encoder;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.io.*;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.Set;

/**
 * Tool to retrieve a kerberos ticket. This one will not be stored in the windows ticket cache.
 */
public final class KerberosTicketRetriever
{
private final static Oid KERB_V5_OID;
private final static Oid KRB5_PRINCIPAL_NAME_OID;

static {
    try
    {
        KERB_V5_OID = new Oid("1.2.840.113554.1.2.2");
        KRB5_PRINCIPAL_NAME_OID = new Oid("1.2.840.113554.1.2.2.1");

    } catch (final GSSException ex)
    {
        throw new Error(ex);
    }
}

/**
 * Not to be instanciated
 */
private KerberosTicketRetriever() {};

/**
 *
 */
private static class TicketCreatorAction implements PrivilegedAction
{
    final String userPrincipal;
    final String applicationPrincipal;

    private StringBuffer outputBuffer;

    /**
     *
     * @param userPrincipal  p.ex. <tt>MuelleHA@MYFIRM.COM</tt>
     * @param applicationPrincipal  p.ex. <tt>HTTP/webserver.myfirm.com</tt>
     */
    private TicketCreatorAction(final String userPrincipal, final String applicationPrincipal)
    {
        this.userPrincipal = userPrincipal;
        this.applicationPrincipal = applicationPrincipal;
    }

    private void setOutputBuffer(final StringBuffer newOutputBuffer)
    {
        outputBuffer = newOutputBuffer;
    }

    /**
     * Only calls {@link #createTicket()}
     * @return <tt>null</tt>
     */
    public Object run()
    {
        try
        {
            createTicket();
        }
        catch (final GSSException  ex)
        {
            throw new Error(ex);
        }

        return null;
    }

    /**
     *
     * @throws GSSException
     */
    private void createTicket () throws GSSException
    {
        final GSSManager manager = GSSManager.getInstance();
        final GSSName clientName = manager.createName(userPrincipal, KRB5_PRINCIPAL_NAME_OID);
        final GSSCredential clientCred = manager.createCredential(clientName,
                8 * 3600,
                KERB_V5_OID,
                GSSCredential.INITIATE_ONLY);

        final GSSName serverName = manager.createName(applicationPrincipal, KRB5_PRINCIPAL_NAME_OID);

        final GSSContext context = manager.createContext(serverName,
                KERB_V5_OID,
                clientCred,
                GSSContext.DEFAULT_LIFETIME);
        context.requestMutualAuth(true);
        context.requestConf(false);
        context.requestInteg(true);

        final byte[] outToken = context.initSecContext(new byte[0], 0, 0);

        if (outputBuffer !=null)
        {
            outputBuffer.append(String.format("Src Name: %s\n", context.getSrcName()));
            outputBuffer.append(String.format("Target  : %s\n", context.getTargName()));
            outputBuffer.append(new BASE64Encoder().encode(outToken));
            outputBuffer.append("\n");
        }

        context.dispose();
    }
}

/**
 *
 * @param realm p.ex. <tt>MYFIRM.COM</tt>
 * @param kdc p.ex. <tt>kerbserver.myfirm.com</tt>
 * @param applicationPrincipal   cf. {@link #TicketCreatorAction(String, String)}
 * @throws GSSException
 * @throws LoginException
 */
static public String retrieveTicket(
        final String realm,
        final String kdc,
        final String applicationPrincipal)
        throws GSSException, LoginException
{

    // create the jass-config-file
    final File jaasConfFile;
    try
    {
        jaasConfFile = File.createTempFile("jaas.conf", null);
        final PrintStream bos = new PrintStream(new FileOutputStream(jaasConfFile));
        bos.print(String.format(
                "Krb5LoginContext { com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useTicketCache=true debug=true ; };"
        ));
        bos.close();
        jaasConfFile.deleteOnExit();
    }
    catch (final IOException ex)
    {
        throw new IOError(ex);
    }

    // set the properties
    System.setProperty("java.security.krb5.realm", realm);
    System.setProperty("java.security.krb5.kdc", kdc);
    System.setProperty("java.security.auth.login.config",jaasConfFile.getAbsolutePath());

    // get the Subject(), i.e. the current user under Windows
    final Subject subject = new Subject();
    final LoginContext lc = new LoginContext("Krb5LoginContext", subject, new DialogCallbackHandler());
    try {
        lc.login();
    } catch (LoginException e) {
        e.printStackTrace();  //To change body of catch statement use File | Settings | File Templates.
        //e = Client not found in Kerberos database (6) - CLIENT_NOT_FOUND
        System.exit(0);
    }

    // extract our principal
    final Set<Principal> principalSet = subject.getPrincipals();
    if (principalSet.size() != 1)
        throw new AssertionError("No or several principals: " + principalSet);
    final Principal userPrincipal = principalSet.iterator().next();

    // now try to execute the SampleAction as the authenticated Subject
    // action.run() without doAsPrivileged leads to
    //   No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
    final TicketCreatorAction action = new TicketCreatorAction(userPrincipal.getName(), applicationPrincipal);
    final StringBuffer outputBuffer = new StringBuffer();
    action.setOutputBuffer(outputBuffer);
    Subject.doAsPrivileged(lc.getSubject(), action, null);

    return outputBuffer.toString();
}

public static void main (final String args[]) throws Throwable
 {
    final String ticket = retrieveTicket("EXAMPLE.COM", "EXAMPLE.COM", "HTTP/webserver.myfirm.com");
    System.out.println(ticket);
 }
}

最佳答案

我没有测试你的代码,但阅读堆栈跟踪我相信问题出在 KDC 域上。作为documentation says :

the default realm and the KDC for that realm are indicated in the Kerberos krb5.conf

通常 krb5.conf 中的 KDC 领域是 kdc。 fedora 默认安装示例:

[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}

很明显,您应该使用域名而不是领域名称更改您的 kdc 域:

final String ticket = retrieveTicket("EXAMPLE.COM", "localhost", "HTTP/webserver.myfirm.com");

您在本地机器上使用 Kerberos,您可能需要将选项 dns_lookup_kdc = false 添加到您的 krb5.conf

关于java - Kerberos 与 Java,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/17102411/

Kerberosjavasecurityfinalsingle-sign-ongssapi

有关java - Kerberos 与 Java的更多相关文章

  1. java - 等价于 Java 中的 Ruby Hash - 2

    我真的很习惯使用Ruby编写以下代码:my_hash={}my_hash['test']=1Java中对应的数据结构是什么? 最佳答案 HashMapmap=newHashMap();map.put("test",1);我假设? 关于java-等价于Java中的RubyHash,我们在StackOverflow上找到一个类似的问题: https://stackoverflow.com/questions/22737685/

  2. java - 从 JRuby 调用 Java 类的问题 - 2

    我正在尝试使用boilerpipe来自JRuby。我看过guide从JRuby调用Java,并成功地将它与另一个Java包一起使用,但无法弄清楚为什么同样的东西不能用于boilerpipe。我正在尝试基本上从JRuby中执行与此Java等效的操作:URLurl=newURL("http://www.example.com/some-location/index.html");Stringtext=ArticleExtractor.INSTANCE.getText(url);在JRuby中试过这个:require'java'url=java.net.URL.new("http://www

  3. java - 我的模型类或其他类中应该有逻辑吗 - 2

    我只想对我一直在思考的这个问题有其他意见,例如我有classuser_controller和classuserclassUserattr_accessor:name,:usernameendclassUserController//dosomethingaboutanythingaboutusersend问题是我的User类中是否应该有逻辑user=User.newuser.do_something(user1)oritshouldbeuser_controller=UserController.newuser_controller.do_something(user1,user2)我

  4. java - 什么相当于 ruby​​ 的 rack 或 python 的 Java wsgi? - 2

    什么是ruby​​的rack或python的Java的wsgi?还有一个路由库。 最佳答案 来自Python标准PEP333:Bycontrast,althoughJavahasjustasmanywebapplicationframeworksavailable,Java's"servlet"APImakesitpossibleforapplicationswrittenwithanyJavawebapplicationframeworktoruninanywebserverthatsupportstheservletAPI.ht

  5. Observability:从零开始创建 Java 微服务并监控它 (二) - 2

    这篇文章是继上一篇文章“Observability:从零开始创建Java微服务并监控它(一)”的续篇。在上一篇文章中,我们讲述了如何创建一个Javaweb应用,并使用Filebeat来收集应用所生成的日志。在今天的文章中,我来详述如何收集应用的指标,使用APM来监控应用并监督web服务的在线情况。源码可以在地址 https://github.com/liu-xiao-guo/java_observability 进行下载。摄入指标指标被视为可以随时更改的时间点值。当前请求的数量可以改变任何毫秒。你可能有1000个请求的峰值,然后一切都回到一个请求。这也意味着这些指标可能不准确,你还想提取最小/

  6. 【Java 面试合集】HashMap中为什么引入红黑树,而不是AVL树呢 - 2

    HashMap中为什么引入红黑树,而不是AVL树呢1.概述开始学习这个知识点之前我们需要知道,在JDK1.8以及之前,针对HashMap有什么不同。JDK1.7的时候,HashMap的底层实现是数组+链表JDK1.8的时候,HashMap的底层实现是数组+链表+红黑树我们要思考一个问题,为什么要从链表转为红黑树呢。首先先让我们了解下链表有什么不好???2.链表上述的截图其实就是链表的结构,我们来看下链表的增删改查的时间复杂度增:因为链表不是线性结构,所以每次添加的时候,只需要移动一个节点,所以可以理解为复杂度是N(1)删:算法时间复杂度跟增保持一致查:既然是非线性结构,所以查询某一个节点的时候

  7. 【Java入门】使用Java实现文件夹的遍历 - 2

    遍历文件夹我们通常是使用递归进行操作,这种方式比较简单,也比较容易理解。本文为大家介绍另一种不使用递归的方式,由于没有使用递归,只用到了循环和集合,所以效率更高一些!一、使用递归遍历文件夹整体思路1、使用File封装初始目录,2、打印这个目录3、获取这个目录下所有的子文件和子目录的数组。4、遍历这个数组,取出每个File对象4-1、如果File是否是一个文件,打印4-2、否则就是一个目录,递归调用代码实现publicclassSearchFile{publicstaticvoidmain(String[]args){//初始目录Filedir=newFile("d:/Dev");Datebeg

  8. java - 为什么 ruby​​ modulo 与 java/other lang 不同? - 2

    我基本上来自Java背景并且努力理解Ruby中的模运算。(5%3)(-5%3)(5%-3)(-5%-3)Java中的上述操作产生,2个-22个-2但在Ruby中,相同的表达式会产生21个-1-2.Ruby在逻辑上有多擅长这个?模块操作在Ruby中是如何实现的?如果将同一个操作定义为一个web服务,两个服务如何匹配逻辑。 最佳答案 在Java中,模运算的结果与被除数的符号相同。在Ruby中,它与除数的符号相同。remainder()在Ruby中与被除数的符号相同。您可能还想引用modulooperation.

  9. java - Ruby 相当于 Java 的 Collections.unmodifiableList 和 Collections.unmodifiableMap - 2

    Java的Collections.unmodifiableList和Collections.unmodifiableMap在Ruby标准API中是否有等价物? 最佳答案 使用freeze应用程序接口(interface):Preventsfurthermodificationstoobj.ARuntimeErrorwillberaisedifmodificationisattempted.Thereisnowaytounfreezeafrozenobject.SeealsoObject#frozen?.Thismethodretur

  10. java - Java 的 StringReader 的 Ruby 等价物是什么? - 2

    在Java中,可以像这样从一个字符串创建一个IO流:Readerr=newStringReader("mytext");我希望能够在Ruby中做同样的事情,这样我就可以获取一个字符串并将其视为一个IO流。 最佳答案 r=StringIO.new("mytext")和here'sthedocumentation. 关于java-Java的StringReader的Ruby等价物是什么?,我们在StackOverflow上找到一个类似的问题: https://st

随机推荐