Java SSO:针对 Active Directory 的 Kerberos 身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3118799/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Java SSO: Kerberos authentication against Active Directory
提问by MrG
I'm still trying to find a Java based solution for SSO (running on *nix), which I can use on JBoss to authorize against an Active Directory/domain controller. I initially tried to do this via NTLM, but gave up because it will be not supported on Windows Server >= 2008.
我仍在尝试为 SSO(在 *nix 上运行)寻找基于 Java 的解决方案,我可以在 JBoss 上使用它来针对 Active Directory/域控制器进行授权。我最初尝试通过 NTLM 执行此操作,但放弃了,因为 Windows Server >= 2008 不支持它。
Therefore I'm trying to implement this using Kerberos, but it seems impossible to find a correct/working solution. Please point me in the right direction explaining how to set up such a configuration, how to validate against the Active Directory and/or domain controller in order to:
因此,我正在尝试使用 Kerberos 来实现这一点,但似乎不可能找到正确/有效的解决方案。请指出正确的方向,解释如何设置此类配置,如何针对 Active Directory 和/或域控制器进行验证,以便:
- find out if the account is valid and
- fetch the group list of the user
- 查明帐户是否有效以及
- 获取用户的组列表
Any help is appreciated!
任何帮助表示赞赏!
UPDATE
更新
I'm working on a solution using jcifs-ext-0.9.4 and jcifs-krb5-1.3.12. I set up the web.xml as described below:
我正在研究使用 jcifs-ext-0.9.4 和 jcifs-krb5-1.3.12 的解决方案。我设置了 web.xml,如下所述:
<web-app>
<!-- servlet / servlet-mapping / welcome-file-list skipped -->
<filter>
<filter-name>auth</filter-name>
<filter-class>jcifs.http.AuthenticationFilter</filter-class>
<init-param>
<param-name>java.security.auth.login.config</param-name>
<param-value>/WEB-INF/login.conf</param-value>
</init-param>
<init-param>
<param-name>jcifs.spnego.servicePrincipal</param-name>
<param-value>HTTP/[email protected]</param-value>
</init-param>
<init-param>
<param-name>jcifs.spnego.servicePassword</param-name>
<param-value>supersecret</param-value>
</init-param>
<init-param>
<param-name>sun.security.krb5.debug</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>java.security.krb5.realm</param-name>
<param-value>mydomain.com</param-value>
</init-param>
<init-param>
<param-name>java.security.krb5.kdc</param-name>
<param-value>testdom01.mydomain.com </param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.domain</param-name>
<param-value>TESTDOMAIN</param-value>
</init-param>
<init-param>
<param-name>jcifs.http.enableNegotiate</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>jcifs.http.basicRealm</param-name>
<param-value>mydomain.com</param-value>
</init-param>
<init-param>
<param-name>jcifs.http.domainController</param-name>
<param-value>testdom01.mydomain.com</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>auth</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
This leads to the following stacktrace if trying to access the app:
如果尝试访问应用程序,这会导致以下堆栈跟踪:
2010-07-22 15:53:10,588 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/google].[default]] Servlet.service() for servlet default threw exception
java.lang.ArrayIndexOutOfBoundsException
at java.lang.System.arraycopy(Native Method)
at jcifs.ntlmssp.Type2Message.toByteArray(Type2Message.java:261)
at jcifs.spnego.Authentication.processNtlm(Authentication.java:265)
at jcifs.spnego.Authentication.process(Authentication.java:233)
at jcifs.http.Negotiate.authenticate(Negotiate.java:46)
at jcifs.http.AuthenticationFilter.doFilter(AuthenticationFilter.java:192)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:619)
Any help is appreciated.
任何帮助表示赞赏。
回答by Borealid
To do this, you actually need to use LDAP. Luckily for you, Java has solid support for both Kerberos and LDAP. The detailed procedure is at http://java.sun.com/products/jndi/tutorial/ldap/security/gssapi.html.
为此,您实际上需要使用 LDAP。幸运的是,Java 对 Kerberos 和 LDAP 都有可靠的支持。详细过程位于http://java.sun.com/products/jndi/tutorial/ldap/security/gssapi.html。
Overview of steps:
步骤概述:
- Authenticate to Kerberos
- Use Kerberos to assume user identity
- Perform GSSAPI bind to Active Directory LDAP server
- Retrieve group list over LDAP
- 对 Kerberos 进行身份验证
- 使用 Kerberos 来承担用户身份
- 执行 GSSAPI 绑定到 Active Directory LDAP 服务器
- 通过 LDAP 检索组列表
回答by Jon Freedman
We use Jespato handle NTLM authentication, we've tested on both Tomcat & Glassfish running on Solaris, IE & Firefox are both supported, and apprently Chrome now supports NTLM too. You will need a license for commercial use though, but I'd definately recommend it.
我们使用Jespa来处理 NTLM 身份验证,我们已经在 Solaris 上运行的 Tomcat 和 Glassfish 上进行了测试,同时支持 IE 和 Firefox,而且 Chrome 现在也支持 NTLM。虽然您需要商业用途的许可证,但我肯定会推荐它。
回答by Soundlink
You can use Waffle. It's free and supports Negotiate, NTLM and Kerberos. You can also check the group list of the user with it.
您可以使用华夫饼。它是免费的,支持 Negotiate、NTLM 和 Kerberos。您还可以使用它检查用户的组列表。
"WAFFLE - Windows Authentication Functional Framework (Light Edition) is a native C# and Java library that does everything Windows authentication (Negotiate, NTLM and Kerberos)."
“WAFFLE - Windows 身份验证功能框架(精简版)是一个本机 C# 和 Java 库,可以执行所有 Windows 身份验证(协商、NTLM 和 Kerberos)。”
回答by Richard Johnson
I started writing an article as I experimented with kerberos and JBoss, the plan is to have a complete guide for beginners to setup and use kerberos with JBoss. I am not saying it's a complete answer but if you ask questions I can try to answer them and add them to the blog.
我在尝试使用 kerberos 和 JBoss 时开始写一篇文章,计划是为初学者提供一个完整的指南来设置和使用 kerberos 和 JBoss。我并不是说这是一个完整的答案,但是如果您提出问题,我可以尝试回答它们并将它们添加到博客中。
回答by shubham
If you want to debug the kerberos, AD configuration on your machine then you can download the application from the following link. https://github.com/shubham49/debugSSODownload the application and deploy it on weblogic server. After deployment open the home page and you will be encounter different tests to debug the configuration.
如果您想在您的机器上调试 kerberos、AD 配置,那么您可以从以下链接下载该应用程序。 https://github.com/shubham49/debugSSO下载应用程序并将其部署在 weblogic 服务器上。部署后打开主页,您将遇到不同的测试来调试配置。
