Active directory jboss谈判工具包';安全的';测试不工作(SPNEGO身份验证失败)
几天前,我在JBoss PicketBox论坛上发布了相同的问题,但尚未收到任何回复()。所以我想也许我会尝试吸引更多的观众 几周来,我一直在努力让jboss谈判工具包发挥作用,我想我已经尝试了其他人遇到的一切。我现在陷入了无法让servlet的“安全”版本正常工作的境地。“安全域测试”和“基本协商”测试工作正常,但JBoss在尝试打开安全链接时继续抛出“LoginException”。我很确定这与一些AD/Kerberos设置有关,但我没有取得任何进展Active directory jboss谈判工具包';安全的';测试不工作(SPNEGO身份验证失败),active-directory,single-sign-on,jboss7.x,windows-authentication,spnego,Active Directory,Single Sign On,Jboss7.x,Windows Authentication,Spnego,几天前,我在JBoss PicketBox论坛上发布了相同的问题,但尚未收到任何回复()。所以我想也许我会尝试吸引更多的观众 几周来,我一直在努力让jboss谈判工具包发挥作用,我想我已经尝试了其他人遇到的一切。我现在陷入了无法让servlet的“安全”版本正常工作的境地。“安全域测试”和“基本协商”测试工作正常,但JBoss在尝试打开安全链接时继续抛出“LoginException”。我很确定这与一些AD/Kerberos设置有关,但我没有取得任何进展 11:49:43,514 ERROR [
11:49:43,514 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required.
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]
at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
...
- Windows 2008广告(QAAD)
- DNS名称:qaad.dev.company.com
- 域名:QUALITY(QUALITY.COMPANY.COM)
- CentOS 6.2将JBoss作为7.1.1.Final运行(BARDEV1)
- 部署:jboss-negotiation-toolkit-2.2.2.Final
- DNS名称:bardev1.dev.company.com
- 测试客户端是WinXP和Win7加入到质量域
<security-domain name="qaad_kerberos" cache-type="default">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM"/>
<module-option name="keyTab" value="/opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config" value="false"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="qaad_kerberos"/>
</login-module>
</authentication>
</security-domain>
- setspn-S HTTP/bardev1.dev.company。com@QUALITY.COMPANY.COM巴德夫1
- ktpass/out bardev1_qaad_rc4.keytab/princ HTTP/bardev1.dev.company。com@QUALITY.COMPANY.COM/mapuser quality\administrator-crypto RC4-HMAC-NT-ptype KRB5\u NT\u PRINCIPAL/pass*/kvno 0
- (注意:必须设置/kvno 0,否则我得到:krbeexception:指定版本的密钥不可用(44))
- setspn-L bardev1
- 输出: 注册服务CN=bardev1、CN=Computers、DC=quality、DC=company、DC=com的主要名称: HTTP/bardev1.dev.company。com@QUALITY.COMPANY.COM HOST/bardev1.dev.company.com 主机/BARDEV1
- setspn-L管理员
- 输出: 注册服务CN=管理员、CN=用户、DC=质量、DC=公司、DC=com的主要名称: HTTP/bardev1.dev.company.com
- http://bardev1:8080/jboss-negotiation-toolkit-2.2.2.Final
- http://bardev1.dev.company.com:8080/jboss-negotiation-toolkit-2.2.2.Final
所以我很确定这是一些setup/config/environment问题,但我似乎无法找到问题的根源 我知道已经很晚了 我遇到了同样的问题,并发现我们需要稍微修改jboss协商工具包的web.xml 修改web.xml的安全约束和登录配置,如下所示:
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
<url-pattern>/Secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
受限制的
/安全的/*
*
没有一个
斯普尼戈
斯普尼戈
/login.html
/error.html
*
<security-domain name="qaad_kerberos" cache-type="default">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM"/>
<module-option name="keyTab" value="/opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config" value="false"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="qaad_kerberos"/>
</login-module>
<login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="requisite">
<module-option name="bindAuthentication" value="GSSAPI"/>
<module-option name="jaasSecurityDomain" value="qaad_kerberos"/>
<module-option name="java.naming.provider.url" value="ldap://your kdc's hostname:389"/>
<module-option name="baseCtxDN" value="DC=MYDOMAIN,DC=COM"/>
<module-option name="baseFilter" value="(userPrincipalName={0})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="allowEmptyPassword" value="false"/>
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>
Update:我们最终放弃了这个解决方案,因为我们无法让它工作。我们最终编写了一个定制的JBoss登录模块(和Tomcat valve),以使用客户机拥有的SAML IDP服务器来处理SSO登录,但不幸的是,它没有完全符合SAML规范,JBoss(PicketLink)提供的“服务提供者”-“身份提供者”设置也没有开箱即用。这并不理想,但它为客户带来了好处,他们对解决方案感到满意。
Negotiation Toolkit
Security Domain Test
Testing security-domain 'qaad_kerberos'
Authenticated
Subject:
Principal: HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
Private Credential: Ticket (hex) =
0000: 61 82 04 A6 30 82 04 A2 A0 03 02 01 05 A1 16 1B a...0...........
0010: 14 51 55 41 4C 49 54 59 2E 53 59 4D 50 48 4F 4E .QUALITY.COMPANY
0020: 4F 2E 43 4F 4D A2 29 30 27 A0 03 02 01 02 A1 20 O.COM.)0'......
0030: 30 1E 1B 06 6B 72 62 74 67 74 1B 14 51 55 41 4C 0...krbtgt..QUAL
...
04A0: 1C 85 74 1A 9B EF B9 EE D2 A8 ..t.......
Client Principal = HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
Server Principal = krbtgt/QUALITY.COMPANY.COM@QUALITY.COMPANY.COM
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 67 2B 5A 9B FE 97 00 2B 68 0B D2 0F 35 FA D1 CB g+Z....+h...5...
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Tue Feb 05 12:01:33 CST 2013
Start Time = Tue Feb 05 12:01:33 CST 2013
End Time = Tue Feb 05 22:01:33 CST 2013
Renew Till = null
Client Addresses Null
Private Credential: Kerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:48:01,226 INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] (http-bardev1.dev.company.com-10.10.5.232-8080-1) No Authorization Header, sending 401
12:48:01,243 INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Authorization header received - decoding token.
Negotiation Toolkit
Basic Negotiation
WWW-Authenticate - Negotiate YIILwgYGKwYBBQUCoIILtjCCC7KgJDAiBgkqhkiC9xIBAgIGCSq ... i4=
NegTokenInit
Message Oid - SPNEGO
Mech Types - {Kerberos V5 Legacy} {Kerberos V5} {NTLM}
Req Flags -
Mech Token -YIILgAYJKoZIhvcSAQICAQBuggtvMIILa6A ... Gi4=
Mech List Mic -
12:51:52,877 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
12:51:52,894 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal's key obtained from the keytab
12:51:52,895 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange
12:51:52,929 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
12:51:52,933 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:52,937 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,939 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server's keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
12:51:52,944 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:52,945 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,946 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,947 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule] added Krb5Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject
12:51:52,949 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded
12:51:52,950 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,950 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: Entering logout
12:51:52,952 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: logged out Subject
12:51:52,953 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required.
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]
at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]
12:51:52,985 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
12:51:52,989 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal's key obtained from the keytab
12:51:52,990 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange
12:51:53,015 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
12:51:53,058 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:53,060 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,061 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server's keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
12:51:53,063 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:53,065 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,065 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,066 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule] added Krb5Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject
12:51:53,068 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded
12:51:53,068 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,081 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: Entering logout
12:51:53,082 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: logged out Subject
HTTP Status 403 - Access to the requested resource has been denied
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
<url-pattern>/Secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
<security-domain name="qaad_kerberos" cache-type="default">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM"/>
<module-option name="keyTab" value="/opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config" value="false"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="qaad_kerberos"/>
</login-module>
<login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="requisite">
<module-option name="bindAuthentication" value="GSSAPI"/>
<module-option name="jaasSecurityDomain" value="qaad_kerberos"/>
<module-option name="java.naming.provider.url" value="ldap://your kdc's hostname:389"/>
<module-option name="baseCtxDN" value="DC=MYDOMAIN,DC=COM"/>
<module-option name="baseFilter" value="(userPrincipalName={0})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="allowEmptyPassword" value="false"/>
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>