本文介绍了带Linux客户端的401 SPNEGO SSO的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
WIN-SRV2008pany.local:运行Windows Server 2008的VM KDC(硬件A)
TOMCATpany.local:运行Tomcat 7Web应用程序(硬件A)
W7-CLIENTpany.local:运行SSO的VM Windows 7客户端(硬件B)
U-CLIENTpany.local:SSO无法工作的VM Ubuntu 17.10.1客户端(硬件B)
我无法在Spnego下的Spring Security Web应用程序上将我的Ubuntu VM配置为单点登录。我做错了什么吗?还是我错过了什么?
我已经在Windows 7虚拟机上进行了SSO,所以我相信它是特定于Linux的。
下面详细介绍了我的配置。
基础设施
我有四台计算机,它们在两个不同的硬件上运行:
SPN
我的SPN、krb5.ini和login.conf基于this thread's description。
Spnego
我基本上遵循Spring Security Kerberos - Reference Documentation,只是去掉表单登录,结果是:
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Value("${kerberos.service-principal}") private String servicePrincipal; @Value("${kerberos.keytab-location}") private String keytabLocation; @Override protected void configure(HttpSecurity http) throws Exception { AffirmativeBased affirmativeBased = new AffirmativeBased(Arrays.asList(new RoleVoter(),new WebExpressionVoter())); http .authorizeRequests().accessDecisionManager(affirmativeBased) .anyRequest().authenticated() .and() .httpBasic() .authenticationEntryPoint(entryPoint()) .and() .logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .and() .addFilterBefore( spnegoAuthenticationProcessingFilter(authenticationManagerBean()), BasicAuthenticationFilter.class) .sessionManagement() .invalidSessionUrl("/login") .maximumSessions(1) .maxSessionsPreventsLogin(true) .sessionRegistry(sessionRegistry()); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth .authenticationProvider(kerberosAuthenticationProvider()) .authenticationProvider(kerberosServiceAuthenticationProvider()); } @Bean public SpnegoEntryPoint entryPoint() { return new SpnegoEntryPoint(); } @Bean public KerberosAuthenticationProvider kerberosAuthenticationProvider() { LoginKerberosAuthentication provider = new LoginKerberosAuthentication(); SunJaasKerberosClient client = new SunJaasKerberosClient(); client.setDebug(true); provider.setKerberosClient(client); provider.setUserDetailsService(usuarioDetailsService()); return provider; } @Bean public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter( AuthenticationManager authenticationManager) { SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter(); filter.setAuthenticationManager(authenticationManager); return filter; } @Bean public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() { KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider(); provider.setTicketValidator(sunJaasKerberosTicketValidator()); provider.setUserDetailsService(usuarioDetailsService()); return provider; } @Bean public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() { SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator(); ticketValidator.setServicePrincipal(servicePrincipal); ticketValidator.setKeyTabLocation(new FileSystemResource(keytabLocation)); ticketValidator.setDebug(true); return ticketValidator; } @Bean @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Bean public UsuarioDetailsService usuarioDetailsService() { return new UsuarioDetailsService(); }Ubuntu客户端
要加入域,我执行了以下步骤:
sudo apt-get install realmd krb5-user software-properties-common python-software-properties packagekit sudo realm join COMPANY.local -U 'administrator@COMPANY.LOCAL' -v直到我使用以下命令生成Kerberos票证:
kinit my_ubuntu_user@COMPANY.local我实际使用klist检查了缓存,结果是:
Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: my_ubuntu_user@COMPANY.local Valid starting Expires Service principal 30/10/2018 17:25:47 31/10/2018 03:25:47 krbtgt/COMPANY.local@COMPANY.local renew until 31/10/2018 17:25:43最后,我使用:
成功进行了身份验证 sudo su my_ubuntu_user@COMPANY.localSSO-问题
当我尝试使用Firefox(使用受信任站点配置)访问我的应用程序主页时,就像我在Windows 7客户端上所做的那样,我只得到the 401 Negotiate header,并且不发送响应令牌。 这意味着,当我向SpnegoEntryPoint构造函数输入实际的url时,我会被重定向到此回退。提前谢谢您
推荐答案多亏了Samson的评论,我才能让它工作。
我确实通过执行sudo su my_ubuntu_user@COMPANY.local切换到空缓存,这使我的应用程序登录响应401。
更多推荐
带Linux客户端的401 SPNEGO SSO
发布评论