Я пробовал это с прошлой недели, но пока не повезло.
Попытка включить единый вход с помощью weblogic12c в Windows и AD (с использованием LDAP)
1) Создан новый пользователь, активирован AES 128 для него
2) Выполнены следующие команды в AD
setspn -S HTTP / APPDEV2004.domain.com http_weblogic_test
подтвердил вывод с помощью команды
setspn -l http_weblogic_test
выход
HTTP / APPDEV2004.domain.com
HTTP / APPDEV2004
ktpass / out c: \ http_weblogic_test.keytab / mapuser http_weblogic_test / princ HTTP/APPDEV2004.domain.com@DOMAIN.COM / pass / ptype KRB5_NT_PRINCIPAL / crypto All
Теперь при использовании Kinit для проверки правильности генерирования билета Kerberos всегда происходит сбой, за исключением
java -Dsun.security.krb5.debug = true
-Djava.security.krb5.conf = c: \ windows \ krb5.ini sun.security.krb5.internal.tools.Kinit -k
-t C: \ opt \ http_weblogic_test.keytab
Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-
authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 4 more
Однако он прекрасно работает, когда я предоставляю пароль из командной строки вместо использования файла keytab
java -Dsun.security.krb5.debug = true
-Djava.security.krb5.conf = c: \ windows \ krb5.ini sun.security.krb5.internal.tools.Kinit
Имя кэша KinitOptions: D: \ Users \ ayadav \ krb5cc_ayadav
Имя участника KinitOptions из кэша: http_weblogic_test@DOAMIN.COM
Принципал: http_weblogic_test@DOMAIN.COM
Пароль для http_weblogic_test@DOMAIN.COM:
После входа в passowrd он проходит через ряд шагов и, наконец, говорит
Новый тикет хранится в кеш-файле D: \ Users \ ayadav \ krb5cc_ayadav, что, как я полагаю, является признаком успешной генерации тикета, однако я изо всех сил пытаюсь использовать файл keytab, но необходимо избавиться от информации предварительной аутентификации, которая была недействительной ( 24).
Обновление Я также использовал команду KTab для генерации файла keytab и использую его, однако я все еще получаю исключение.
java sun.security.krb5.internal.tools.Ktab
-a http_weblogic_test@DOMAIN.COM <password>
-k c:\opt\http_weblogic_test_new.keytab
java sun.security.krb5.internal.tools.Ktab
-a APPDEV2004.domain.com@DOMAIN.COM <password>
-k c:\http_weblogic_test_new_ktab.keytab
Обновления - я могу успешно запустить Kinit после обновления имени участника внутри krb5Login.conf до принципала = "HTTP / APPDEV2004.domain.com"
После развертывания тестового приложения в weblogic я вижу запущенный Kinit для успешной генерации TGT
Отрывок ответа
principal is HTTP/APPDEV2004.oriental.com@ORIENTAL.COM
Will use keytab
Commit Succeeded
Found KeyTab http_weblogic_test.keytab for
HTTP/APPDEV2004.domain.com@DOMAIN.COM
Found ticket for HTTP/APPDEV2004.domain.com@DOMAIN.COM to go to
krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 02 03:37:28 CDT 2018
I am using the following properties for the web.xml in the application
<security-constraint>
<display-name>AdminAccess</display-name>
<web-resource-collection>
<web-resource-name>AllAdminOperations</web-resource-name>
<description/>
<url-pattern>/faces/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Admin Only Access</description>
<role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
<description>Secured Login</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>validUser</display-name>
<web-resource-collection>
<web-resource-name>application</web-resource-name>
<description/>
<url-pattern>/faces/home/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Only Registered user can access this</description>
<role-name>Basic</role-name>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>Basic</auth-method>
<realm-name>**myrealm**</realm-name>
</login-config>
<security-role>
<description>Deputy User</description>
<role-name>Deputy</role-name>
</security-role>
<security-role>
<description>AdminUser</description>
<role-name>Admin</role-name>
</security-role>
and my weblogic.xml has
<security-role-assignment>
<role-name>Admin</role-name>
<principal-name>Admin</principal-name>
</security-role-assignment>
<security-role-assignment>
<role-name>Deputy</role-name>
<principal-name>Deputy</principal-name>
</security-role-assignment>
У меня настраивается myrealm на сервере weblogic с ActiveDirectoryProvider (помечен как SUFFICIENT) и NegotiateIndentityProviderAsserter (согласование на основе форм помечено как отключенное)
Однако он по-прежнему показывает диалог обычной аутентификации и не регистрирует меня.
Обновление - в журналах отладки сервера weblogic я вижу следующее исключение
<> <a71b8914-e309-4c08-97a5-2dcba34ea5be-00000044> <1525358738449> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <acceptGssInitContextToken failed
com.bea.security.utils.kerberos.KerberosException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:396)
at com.bea.security.utils.kerberos.KerberosTokenHandler.handleInitTokenForMultiKDC(KerberosTokenHandler.java:270)
at com.bea.security.utils.kerberos.KerberosTokenHandler.access$100(KerberosTokenHandler.java:46)
at com.bea.security.utils.kerberos.KerberosTokenHandler$2.run(KerberosTokenHandler.java:215)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:213)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:141)
at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:57)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:217)
at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.java:124)
at com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionTokenServiceImpl.java:122)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)
at com.sun.proxy.$Proxy56.assertChallengeIdentity(Unknown Source)
at com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionServiceImpl.java:114)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)
at com.sun.proxy.$Proxy62.assertChallengeIdentity(Unknown Source)
at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl$NegotiateHandler.assertChallengeContext(NegotiateIdentityAsserterServiceImpl.java:328)
at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl$NegotiateHandler.process(NegotiateIdentityAsserterServiceImpl.java:213)
at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl.process(NegotiateIdentityAsserterServiceImpl.java:132)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)
at com.sun.proxy.$Proxy63.process(Unknown Source)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterServletAuthenticationFilter.doFilter(NegotiateIdentityAsserterServletAuthenticationFilter.java:37)
at weblogic.servlet.security.internal.AuthFilterChain.doFilter(AuthFilterChain.java:34)
at weblogic.servlet.security.internal.WebAppSecurity$ServletAuthenticationFilterAction.run(WebAppSecurity.java:1106)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:326)
at weblogic.security.service.SecurityManager.runAsForUserCode(SecurityManager.java:197)
at weblogic.servlet.provider.WlsSecurityProvider.runAsForUserCode(WlsSecurityProvider.java:203)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:71)
at weblogic.servlet.security.internal.WebAppSecurity.invokeAuthFilterChain(WebAppSecurity.java:963)
at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:99)
at weblogic.servlet.security.internal.SecurityModule.checkAccess(SecurityModule.java:159)
at weblogic.servlet.security.internal.SecurityModule.isAuthorized(SecurityModule.java:720)
at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:585)
at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:545)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2379)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2281)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2259)
at weblogic.servlet.internal.ServletRequestImpl.runInternal(ServletRequestImpl.java:1691)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1651)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:270)
at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:348)
at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:333)
at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:54)
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:640)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:406)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:346)
Caused By: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextTokenInDoAs(KerberosTokenHandler.java:310)
at com.bea.security.utils.kerberos.KerberosTokenHandler.handleInitTokenForMultiKDC(KerberosTokenHandler.java:270)
at com.bea.security.utils.kerberos.KerberosTokenHandler.access$100(KerberosTokenHandler.java:46)
at com.bea.security.utils.kerberos.KerberosTokenHandler$2.run(KerberosTokenHandler.java:215)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:213)
at com.bea.security.utils.kerberos.KerberosTokenHandler.acceptGssInitContextToken(KerberosTokenHandler.java:141)
at com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:57)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterProviderImpl.assertChallengeIdentity(NegotiateIdentityAsserterProviderImpl.java:217)
at com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(ChallengeIdentityAssertionProviderImpl.java:124)
at com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionTokenServiceImpl.java:122)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)
at com.sun.proxy.$Proxy56.assertChallengeIdentity(Unknown Source)
at com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionServiceImpl.java:114)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)
at com.sun.proxy.$Proxy62.assertChallengeIdentity(Unknown Source)
at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl$NegotiateHandler.assertChallengeContext(NegotiateIdentityAsserterServiceImpl.java:328)
at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl$NegotiateHandler.process(NegotiateIdentityAsserterServiceImpl.java:213)
at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl.process(NegotiateIdentityAsserterServiceImpl.java:132)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)
at com.sun.proxy.$Proxy63.process(Unknown Source)
at weblogic.security.providers.authentication.NegotiateIdentityAsserterServletAuthenticationFilter.doFilter(NegotiateIdentityAsserterServletAuthenticationFilter.java:37)
at weblogic.servlet.security.internal.AuthFilterChain.doFilter(AuthFilterChain.java:34)
at weblogic.servlet.security.internal.WebAppSecurity$ServletAuthenticationFilterAction.run(WebAppSecurity.java:1106)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:326)
at weblogic.security.service.SecurityManager.runAsForUserCode(SecurityManager.java:197)
at weblogic.servlet.provider.WlsSecurityProvider.runAsForUserCode(WlsSecurityProvider.java:203)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:71)
at weblogic.servlet.security.internal.WebAppSecurity.invokeAuthFilterChain(WebAppSecurity.java:963)
at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:99)
at weblogic.servlet.security.internal.SecurityModule.checkAccess(SecurityModule.java:159)
at weblogic.servlet.security.internal.SecurityModule.isAuthorized(SecurityModule.java:720)
at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:585)
at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:545)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2379)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2281)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2259)
at weblogic.servlet.internal.ServletRequestImpl.runInternal(ServletRequestImpl.java:1691)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1651)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:270)
at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:348)
at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:333)
at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:54)
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:640)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:406)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:346)