当CAS部署时spnego身份验证停止工作
问题描述:
我有一个正在工作的tomcat实例,其中tomcat-manager applet使用SPNEGO进行身份验证。 当我部署CAS - 配置为使用SPNEGO - 会发生以下情况:当CAS部署时spnego身份验证停止工作
- 部署之后,无论是经理小程序和CAS工作正常
- tomcat的重启后,他们没有工作,两个他们抛出异常(见下文)
- 如果我取消部署CAS,经理小程序仍不能正常工作,直到tomcat的重启
我假定应用程序应该使用CAS不修改其他应用程序的行为,因此,为authenti阳离子是自愿的。如果这是真的,那么这种行为将是一个错误。如果没有,那么我会假定CAS应该取代该应用程序的身份验证,在这种情况下,它仍然是一个错误。 但是我也假设我错过了关于CAS/tomcat应该如何工作的一些重要信息。 总之:
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.222Z tomcat http-bio-8080-exec-1 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/ HTTP/1.1" 302 -
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.301Z tomcat http-bio-8080-exec-2 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=146B55AA6642928501CA00F62409FCE8 HTTP/1.1" 401 2486
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.348Z tomcat http-bio-8080-exec-3 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=146B55AA6642928501CA00F62409FCE8 HTTP/1.1" 500 1000
Apr 30 08:57:04 [email protected] Apr 30, 2013 6:57:03 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate
Apr 30 08:57:04 [email protected] SEVERE: Unable to login as the service principal
Apr 30 08:57:04 [email protected] javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.accept
Apr 30 08:57:04 [email protected] at javax.security.auth.login.LoginContext.init(LoginContext.java:273)
Apr 30 08:57:04 [email protected] at javax.security.auth.login.LoginContext.<init>(LoginContext.java:349)
Apr 30 08:57:04 [email protected] at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:195)
Apr 30 08:57:04 [email protected] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
Apr 30 08:57:04 [email protected] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
Apr 30 08:57:04 [email protected] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
Apr 30 08:57:04 [email protected] at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
Apr 30 08:57:04 [email protected] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
Apr 30 08:57:04 [email protected] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
Apr 30 08:57:04 [email protected] at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)
Apr 30 08:57:04 [email protected] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
Apr 30 08:57:04 [email protected] at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
Apr 30 08:57:04 [email protected] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
Apr 30 08:57:04 [email protected] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
Apr 30 08:57:04 [email protected] at java.lang.Thread.run(Thread.java:722)
:试图登录到管理器小程序时,它是一个错误被报告,和/或我应该更多地了解CAS/tomcat的应该是如何工作的
异常(在哪里?)
同样与CAS:
Apr 30 08:59:58 127.0.0.1/127.0.0.1 1 2013-04-30T06:59:58.104Z tomcat http-bio-8080-exec-4 21438 192.168.1.10 - - [30/Apr/2013:06:59:58 +0000] "GET /cas/ HTTP/1.1" 302 -
Apr 30 08:59:58 127.0.0.1/127.0.0.1 1 2013-04-30T06:59:58.937Z tomcat http-bio-8080-exec-5 21438 192.168.1.10 - - [30/Apr/2013:06:59:58 +0000] "GET /cas/login HTTP/1.1" 401 954
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:58,761 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /cas/>
Apr 30 08:59:59 [email protected] jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.process(Authentication.java:235)
Apr 30 08:59:59 [email protected] at org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHandler.java:70)
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostProcessingAuthenticationHandler.java:85)
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody3$advice(AbstractPreAndPostProcessingAuthenticationHandler.java:57)
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:1)
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticateAndObtainPrincipal(AuthenticationManagerImpl.java:93)
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody0(AbstractAuthenticationManager.java:57)
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody1$advice(AbstractAuthenticationManager.java:57)
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:1)
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[... 149 more]
Apr 30 08:59:59 [email protected] Caused by: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
Apr 30 08:59:59 [email protected] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Apr 30 08:59:59 [email protected] at java.lang.reflect.Method.invoke(Method.java:601)
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication$ServerAction.run(Authentication.java:511)
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.processKerberos(Authentication.java:430)
Apr 30 08:59:59 [email protected] ... 160 more
Apr 30 08:59:59 [email protected] Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:81)
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
Apr 30 08:59:59 [email protected] ... 166 more
Apr 30 08:59:59 [email protected] Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
Apr 30 08:59:59 [email protected] at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:796)
Apr 30 08:59:59 [email protected] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:667)
Apr 30 08:59:59 [email protected] at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580)
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
Apr 30 08:59:59 [email protected] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Apr 30 08:59:59 [email protected] at java.lang.reflect.Method.invoke(Method.java:601)
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
Apr 30 08:59:59 [email protected] at java.security.AccessController.doPrivileged(Native Method)
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSUtil.login(GSSUtil.java:255)
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:334)
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:76)
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:74)
Apr 30 08:59:59 [email protected] at java.security.AccessController.doPrivileged(Native Method)
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:73)
Apr 30 08:59:59 [email protected] ... 171 more
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:59,163 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler failed authenticating unknown>
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:59,171 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Apr 30 08:59:59 [email protected] =============================================================
Apr 30 08:59:59 [email protected] WHO: unknown
Apr 30 08:59:59 [email protected] WHAT: supplied credentials: unknown
Apr 30 08:59:59 [email protected] ACTION: AUTHENTICATION_FAILED
Apr 30 08:59:59 [email protected] APPLICATION: CAS
Apr 30 08:59:59 [email protected] WHEN: Tue Apr 30 06:59:59 GMT 2013
Apr 30 08:59:59 [email protected] CLIENT IP ADDRESS: 192.168.1.10
Apr 30 08:59:59 [email protected] SERVER IP ADDRESS: 192.168.1.29
Apr 30 08:59:59 [email protected] =============================================================
Apr 30 08:59:59 [email protected] >
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:59,174 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Apr 30 08:59:59 [email protected] =============================================================
Apr 30 08:59:59 [email protected] WHO: unknown
Apr 30 08:59:59 [email protected] WHAT: :jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 [email protected] ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
Apr 30 08:59:59 [email protected] APPLICATION: CAS
Apr 30 08:59:59 [email protected] WHEN: Tue Apr 30 06:59:59 GMT 2013
Apr 30 08:59:59 [email protected] CLIENT IP ADDRESS: 192.168.1.10
Apr 30 08:59:59 [email protected] SERVER IP ADDRESS: 192.168.1.29
Apr 30 08:59:59 [email protected] =============================================================
Apr 30 08:59:59 [email protected] >
答
看来你的Jaas.conf编写不当。例外
javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.accept
基本上意味着您在jaas.conf中缺少一个条目。在里面你必须写的是tomcat/conf文件夹/修改的Jaas.conf
一个模块的例子如下(此追加对现有的Jaas.conf): -
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="YOUR PRINCIPAL ASSOCIATED WITH KEYTAB"
useKeyTab=true
keyTab="CORRECT KEYTAB FILE"
storeKey=true
debug=true;
};
这是ofcourse假设你有服务器端的密钥表。这也假设你没有在cas部署中手动指定一个自定义jaas.conf(也可以有其他一些名字)。在自定义部署的情况下,将此条目附加到自定义jaas.conf
我假设(这里我可能是错的),cas是客户端。在这种情况下,你需要在默认的jaas.conf中指定一个com.sun.security.jgss.krb5.initiate模块(我不知道它的位置或应该在哪里)。在你可以使用使用SSO(单点登录验证): -
useTicketCache=true
,并说明useKeyTab = false,这应该皮卡默认证书,并生成一个主体名称。
如果仍然有问题,给在Tomcat和CAS设备
所有* conf文件的输出,我相信我的Jaas.conf是正确的。如果没有部署CAS,SPNEGO会工作。 'git diff 0a9330fd0758e6a19a6491b1e191651623408a89 - tomcat7 default/tomcat7'的输出位于http://paste.ubuntu.com/5626376/ git diff 3d44888d193d541d97d8410db1c5320fd8d734ab - share/tomcat7 *的输出位于http:// paste。 Ubuntu Linux系统。com/5626378/ – 2013-05-02 16:17:40
纠缠我的是你已经在jaas领域中指定了appname作为“PortalRealm”,而你在jaas.conf中没有这样的条目。我不知道这是否会解决你的问题,但你可以尝试两件事。首先使用Portal Realm和isInitiatore = false在tomcat jaas.conf中定义一个条目。其次设置选项-Djava.security.auth.login.config =“你的路径”,要绝对确保cas在启动期间没有设置其他jaas文件 – 2013-05-05 18:21:11
我想我找到了问题所在。我正在试验我的tomcat并试图重现这个问题。 JAAS领域只在客户端试图访问它时调用(在你的情况下它是cas)。用下面的格式在你的tomcat jaas.conf中写入一个条目: - PortalRealm {com.sun.security.auth.module.Krb5LoginModule required ...};并用您在接受条目中指定的相同选项填充它 – 2013-05-07 11:46:36