Почему Spring Security Kerberos расширение 1.0.0.M2 не работает для JDK 1.6.0_22 и выше

Question

Расширение Kerberos Spring Security 1.0.0.M2 работает для jdk1.6.0_18 и ниже, но не удалось в новых jdk 1.6.0_22 и 1.6.0_23 со следующими исключениями:

Negotiate Header was invalid: Negotiate YIIHpQYGKwYBBQUCoIIHmTCCB5WgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCB2sEggdnYIIHYwYJKoZIhvcSAQICAQBuggdSMIIHTqADAgEFoQMCAQ6iBwMFACAAAACjggZxYYIGbTCCBmmgAwIBBaEYGxZXQU0uV0VTVEVSTkFTU0VULkxPQ0FMojMwMaADAgECoSowKBsESFRUUBsgZGV2d2FyY2gxLndhbS53ZXN0ZXJuYXNzZXQubG9jYWyjggYRMIIGDaADAgEXoQMCAQ6iggX/BIIF+54nsIgnyOHTnF2nD3XHzz51k/sqBht6lMFESs+CDL2SNCiZOD0Iqee03v3aUyzDncMTkXRRw/F2HOHCv1XPoKFhKZwJDTnKkbm7DDSJFok7rsekQqCntt+DObI6umiZU7XDKP4zyMVadrqQ6psJyUfpaGpU9uRHB79voBJaKGIjeDjSU2z7ybfvoxfPckFO905tM5HXjmM2sm5GAG0gY7/qHlCau1ayH0H/Tfly0EOS1B0D6ryue+Ne6VEt7OUOk89tSQM7F3qUqOsKzwuokBWjERX+ytcnc44uVslncQvn4peWPohePWZL7fpsm4w+kdO40oYeEGhZhbpGLCeII7U51y+NxbiCvTiIuc5nnkhESNQtbrmcUmpJIsbxrjr0cdyFua8oDgEQ6LYuRMY7FHKFDIWvTSaiDIoTBbxkh9I9jHatHhHWdi4WlLo1pJe9Ge4szzDAe2uuHrIgTLjuJx8ryRzq8UfFopJjCehRvBO2CQTyNpyxw6fUZGOQht/QS57/4oGGNWwXTUjsIBRJKNe3x4bsasUgvqhepme40zpAsVXYTv6usiRwAGyVmWTsdH3KZ/syTVghVhcsV1ht5bujwawdXlmR16ZpMPkTXv1hBTvmBwxqsvpGOX4+sG5HT5w/mlpKANUnkeE84m0nOvGp+uMbdhpZ9ya3pPg3BKP+lBfLXHNf0zka77uDLw9K0ZzMsd6t62PsatvrZXCdNrQx8XWKLJ4dHPbxdND7UPtQc2ARiGsak9grd8PG378UkQLlHEEVjh97J+iYxLfNIIfHUbuFxQFqIYXheto1OOrDAY1igsRYP9duoo6ZWiCQnKXxSbcnApIQCiq6r2jxKrzNla6l2GKs0cNB2qqV0XlQNTtVOTG/52EuyNadqpXv39WfhZ64mt4PWQ8bVIL/DR2Jp+bmr+1hCaThLy9l/+52qNC5zj9WAS0+NLRd31cIC3hRTyO2JMSvacfu8v7uV9HbK56R2q38rLg+hu7odPSdkQjEZ9hFWD8Ud3cPpKCDNQRlTnoFTajLlayqWWzZQKjU5GPySToJp2HZW1Ra7HgcM5/6qhoJVVOSE+KpOitGYDYrJ8G6tAk0kOzN0ei/jmkAl5eZNV6hF85T6l7c/kEwu3bJ32r/IAMBK2sBO4Z6SK4SOrSsQXoNBJHKDuY1r34AEHIpazt9hl2U1WyEJDFu9jMMU9q/DEkIGD6FzO0yAYhnnnQFCWJJpjmqqGojiIQwz2W8U95FWMbWdQlCdGnXUIQ1Zdd6xVhrfiFsvD4z92RvyZACyopSVPtIVaBGbRC0/KrxZE9HHOPXjv7WZmBwjKmhgryONs1wge2jNn/saOlExhMT4OjKvjYbfyrdR0WRgTZHvluAxaq5XBBE2QufoFWlibidbZMEdMcL7TDf48ZcpREgtGLJBxkaAhzvbX39iKMmDPCANMSUXN6p0wdsmRNNIno7ghzIoYZ5dh5601BYbYtx9l1rU3LQL46/OVqPIET8LIPMFjgGMlNhME/pAUErEwnvAjIhaH9SyAJksQg6FmU64k8W0EomGzjp6vjOfz+WX1s8pZ4ZKYGXRwFWjq9nWP9BwePthhUQhDLzhGNEeScuG8za2gGeNvZgAqWJ1JiPr4cuwrX4iBOiJsYps0XjLLoi/lAtCBmoTk3qPArtXNqUHRI3ZZtA0LfGhnY+la55qPxm6cWY+ioce3rHraxgr0KLlzMEFRYWb5AMqwTIXL59xL/9O5UyCwc5n1Fbd+OGuOnapK7KWSq6cxJU7ObutxGmQ6aRIJD3RNxGiYnBNkoos546QlubmHno507ZVQ9posYrkJoeQXDgSzuIEA2lD81LfRJfdPdARgFIF5yXWmN0NfCwCrw3X1QloX/Ktzo+9lbHRGhaIo9gS17/Ex1+DjKbFWFwNkRRpONV7jbnJ4ZWfuP3TuKzzX0E12jxMSXvcXPA5mIn0EI1t9f5Bg7L6Hfc0KmxWrsnHRgz9zZ1/i8eDmBMVxJlQSPR7WG2EsUAUB2uP8ADC/hR2j3FedcGQBgkhHOEMNSkgcMwgcCgAwIBF6KBuASBtczMFtvZHJDYRG8gUL+HJazLtrNiqjMu/I5CruvOy03uM5l2EOuE3c21lW04O9QHWdC7MCxdOnqRoDt3W+0kD3mBIdjjA0YGVPA1qPD1v8j9UMoAr2fuUYkO5qFsjFZ05u0w8rfi5/jq8FwB2idooBq9hYLGISbIstctr2Gt4W5tdfrCrxdRH2z48y1oqKFwmzQ2N57LJcAYY0cjxb/uRKEv+fk3TlvDF92Ci3JJzmzC+lK8uo4=
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull  at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)
 at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
 at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:120)
 at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
 at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
 at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:188)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
 at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
 at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
 at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
 at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
 at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
 at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:861)
 at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
 at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1584)
 at java.lang.Thread.run(Thread.java:662)
Caused by: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))  at java.security.AccessController.doPrivileged(Native Method)  at javax.security.auth.Subject.doAs(Subject.java:396)
 at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
 ... 25 more
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))  at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
 at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
 at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
 at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
 at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
 at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
 at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
 at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
 at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
 ... 28 more
Caused by: KrbException: Specified version of key is not available (44)  at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:527)
 at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:260)
 at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
 at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
 at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
 ... 36 more
SecurityContextHolder now cleared, as request processing completed 

Answer 1

Таким образом, проблема, казалось, заключалась в том, что kvno не совпадало (это было 5 с v1.6.18, но 13 в v1.6.22).

Если вы сгенерировали таблицу ключей с механизмом, который позволяет установить для kvno значение 0, то kvno можно игнорировать (зависит от реализации). MIT Kerberos делает это, и кажется, что JDK также поддерживает.

Квно просто используется для поиска ключа. Поэтому очень важно иметь правильное значение kvno, потому что это упрощает работу системы. Но это не является угрозой безопасности, если его значение равно 0.

Grant

Answer 2

Эта проблема решается установкой нулевого значения kvno в файле keytab.