您的位置: 首页  >  技术问答  >  当CAS部署时spnego身份验证停止工作

当CAS部署时spnego身份验证停止工作

分类: 技术问答 2022-09-03 19:38:50
问题描述:

我有一个正在工作的tomcat实例,其中tomcat-manager applet使用SPNEGO进行身份验证。 当我部署CAS - 配置为使用SPNEGO - 会发生以下情况:当CAS部署时spnego身份验证停止工作

  • 部署之后,无论是经理小程序和CAS工作正常
  • tomcat的重启后,他们没有工作,两个他们抛出异常(见下文)
  • 如果我取消部署CAS,经理小程序仍不能正常工作,直到tomcat的重启

我假定应用程序应该使用CAS不修改其他应用程序的行为,因此,为authenti阳离子是自愿的。如果这是真的,那么这种行为将是一个错误。如果没有,那么我会假定CAS应该取代该应用程序的身份验证,在这种情况下,它仍然是一个错误。 但是我也假设我错过了关于CAS/tomcat应该如何工作的一些重要信息。 总之:

Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.222Z tomcat http-bio-8080-exec-1 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/ HTTP/1.1" 302 - 
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.301Z tomcat http-bio-8080-exec-2 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=146B55AA6642928501CA00F62409FCE8 HTTP/1.1" 401 2486 
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.348Z tomcat http-bio-8080-exec-3 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=146B55AA6642928501CA00F62409FCE8 HTTP/1.1" 500 1000 
Apr 30 08:57:04 [email protected] Apr 30, 2013 6:57:03 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate 
Apr 30 08:57:04 [email protected] SEVERE: Unable to login as the service principal 
Apr 30 08:57:04 [email protected] javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.accept 
Apr 30 08:57:04 [email protected] at javax.security.auth.login.LoginContext.init(LoginContext.java:273) 
Apr 30 08:57:04 [email protected] at javax.security.auth.login.LoginContext.<init>(LoginContext.java:349) 
Apr 30 08:57:04 [email protected] at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:195) 
Apr 30 08:57:04 [email protected] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544) 
Apr 30 08:57:04 [email protected] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) 
Apr 30 08:57:04 [email protected] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) 
Apr 30 08:57:04 [email protected] at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) 
Apr 30 08:57:04 [email protected] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) 
Apr 30 08:57:04 [email protected] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) 
Apr 30 08:57:04 [email protected] at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987) 
Apr 30 08:57:04 [email protected] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) 
Apr 30 08:57:04 [email protected] at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309) 
Apr 30 08:57:04 [email protected] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
Apr 30 08:57:04 [email protected] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
Apr 30 08:57:04 [email protected] at java.lang.Thread.run(Thread.java:722)
:试图登录到管理器小程序时,它是一个错误被报告,和/或我应该更多地了解CAS/tomcat的应该是如何工作的

异常(在哪里?)

同样与CAS:

Apr 30 08:59:58 127.0.0.1/127.0.0.1 1 2013-04-30T06:59:58.104Z tomcat http-bio-8080-exec-4 21438 192.168.1.10 - - [30/Apr/2013:06:59:58 +0000] "GET /cas/ HTTP/1.1" 302 - 
Apr 30 08:59:58 127.0.0.1/127.0.0.1 1 2013-04-30T06:59:58.937Z tomcat http-bio-8080-exec-5 21438 192.168.1.10 - - [30/Apr/2013:06:59:58 +0000] "GET /cas/login HTTP/1.1" 401 954 
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:58,761 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /cas/> 
Apr 30 08:59:59 [email protected] jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException 
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.processKerberos(Authentication.java:447) 
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.processSpnego(Authentication.java:346) 
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.process(Authentication.java:235) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHandler.java:70) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostProcessingAuthenticationHandler.java:85) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody3$advice(AbstractPreAndPostProcessingAuthenticationHandler.java:57) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:1) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticateAndObtainPrincipal(AuthenticationManagerImpl.java:93) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody0(AbstractAuthenticationManager.java:57) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody1$advice(AbstractAuthenticationManager.java:57) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:1) 
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 

[... 149 more] 

Apr 30 08:59:59 [email protected] Caused by: java.lang.reflect.InvocationTargetException 
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 
Apr 30 08:59:59 [email protected] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
Apr 30 08:59:59 [email protected] at java.lang.reflect.Method.invoke(Method.java:601) 
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication$ServerAction.run(Authentication.java:511) 
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.processKerberos(Authentication.java:430) 
Apr 30 08:59:59 [email protected] ... 160 more 
Apr 30 08:59:59 [email protected] Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:81) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153) 
Apr 30 08:59:59 [email protected] ... 166 more 
Apr 30 08:59:59 [email protected] Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication 
Apr 30 08:59:59 [email protected] at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:796) 
Apr 30 08:59:59 [email protected] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:667) 
Apr 30 08:59:59 [email protected] at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580) 
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 
Apr 30 08:59:59 [email protected] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
Apr 30 08:59:59 [email protected] at java.lang.reflect.Method.invoke(Method.java:601) 
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) 
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) 
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721) 
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719) 
Apr 30 08:59:59 [email protected] at java.security.AccessController.doPrivileged(Native Method) 
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718) 
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.login(LoginContext.java:590) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSUtil.login(GSSUtil.java:255) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:334) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:76) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:74) 
Apr 30 08:59:59 [email protected] at java.security.AccessController.doPrivileged(Native Method) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:73) 
Apr 30 08:59:59 [email protected] ... 171 more 
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:59,163 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler failed authenticating unknown> 
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:59,171 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN 
Apr 30 08:59:59 [email protected] ============================================================= 
Apr 30 08:59:59 [email protected] WHO: unknown 
Apr 30 08:59:59 [email protected] WHAT: supplied credentials: unknown 
Apr 30 08:59:59 [email protected] ACTION: AUTHENTICATION_FAILED 
Apr 30 08:59:59 [email protected] APPLICATION: CAS 
Apr 30 08:59:59 [email protected] WHEN: Tue Apr 30 06:59:59 GMT 2013 
Apr 30 08:59:59 [email protected] CLIENT IP ADDRESS: 192.168.1.10 
Apr 30 08:59:59 [email protected] SERVER IP ADDRESS: 192.168.1.29 
Apr 30 08:59:59 [email protected] ============================================================= 
Apr 30 08:59:59 [email protected] > 
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:59,174 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN 
Apr 30 08:59:59 [email protected] ============================================================= 
Apr 30 08:59:59 [email protected] WHO: unknown 
Apr 30 08:59:59 [email protected] WHAT: :jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException 
Apr 30 08:59:59 [email protected] ACTION: TICKET_GRANTING_TICKET_NOT_CREATED 
Apr 30 08:59:59 [email protected] APPLICATION: CAS 
Apr 30 08:59:59 [email protected] WHEN: Tue Apr 30 06:59:59 GMT 2013 
Apr 30 08:59:59 [email protected] CLIENT IP ADDRESS: 192.168.1.10 
Apr 30 08:59:59 [email protected] SERVER IP ADDRESS: 192.168.1.29 
Apr 30 08:59:59 [email protected] ============================================================= 
Apr 30 08:59:59 [email protected] >

看来你的Jaas.conf编写不当。例外

javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.accept

基本上意味着您在jaas.conf中缺少一个条目。在里面你必须写的是tomcat/conf文件夹/修改的Jaas.conf

一个模块的例子如下(此追加对现有的Jaas.conf): -

com.sun.security.jgss.krb5.accept { 
com.sun.security.auth.module.Krb5LoginModule required 
doNotPrompt=true 
principal="YOUR PRINCIPAL ASSOCIATED WITH KEYTAB" 
useKeyTab=true 
keyTab="CORRECT KEYTAB FILE" 
storeKey=true 
debug=true; 
};

这是ofcourse假设你有服务器端的密钥表。这也假设你没有在cas部署中手动指定一个自定义jaas.conf(也可以有其他一些名字)。在自定义部署的情况下,将此条目附加到自定义jaas.conf

我假设(这里我可能是错的),cas是客户端。在这种情况下,你需要在默认的jaas.conf中指定一个com.sun.security.jgss.krb5.initiate模块(我不知道它的位置或应该在哪里)。在你可以使用使用SSO(单点登录验证): -

useTicketCache=true

,并说明useKeyTab = false,这应该皮卡默认证书,并生成一个主体名称。

如果仍然有问题,给在Tomcat和CAS设备

+0

所有* conf文件的输出,我相信我的Jaas.conf是正确的。如果没有部署CAS,SPNEGO会工作。 'git diff 0a9330fd0758e6a19a6491b1e191651623408a89 - tomcat7 default/tomcat7'的输出位于http://paste.ubuntu.com/5626376/ git diff 3d44888d193d541d97d8410db1c5320fd8d734ab - share/tomcat7 *的输出位于http:// paste。 Ubuntu Linux系统。com/5626378/ – 2013-05-02 16:17:40

+0

纠缠我的是你已经在jaas领域中指定了appname作为“PortalRealm”,而你在jaas.conf中没有这样的条目。我不知道这是否会解决你的问题,但你可以尝试两件事。首先使用Portal Realm和isInitiatore = false在tomcat jaas.conf中定义一个条目。其次设置选项-Djava.security.auth.login.config =“你的路径”,要绝对确保cas在启动期间没有设置其他jaas文件 – 2013-05-05 18:21:11

+0

我想我找到了问题所在。我正在试验我的tomcat并试图重现这个问题。 JAAS领域只在客户端试图访问它时调用(在你的情况下它是cas)。用下面的格式在你的tomcat jaas.conf中写入一个条目: - PortalRealm {com.sun.security.auth.module.Krb5LoginModule required ...};并用您在接受条目中指定的相同选项填充它 – 2013-05-07 11:46:36

相关推荐