Java Spring boot 2 kerberos身份验证
我想知道如何在SpringBoot2.0中使用SpringSecurityKerberos 我们目前正在尝试使SPNego过滤器工作 这就是错误:Java Spring boot 2 kerberos身份验证,java,spring,spring-boot,spring-security,kerberos,Java,Spring,Spring Boot,Spring Security,Kerberos,我想知道如何在SpringBoot2.0中使用SpringSecurityKerberos 我们目前正在尝试使SPNego过滤器工作 这就是错误: o.s.s.k.w.a.SpnegoAuthenticationProcessingFilter : Negotiate Header was invalid: Negotiate YHoGBisGAQUFAqBwMG6gMDAuBgorBgEEAYI3AgIKBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICH
o.s.s.k.w.a.SpnegoAuthenticationProcessingFilter : Negotiate Header was invalid: Negotiate YHoGBisGAQUFAqBwMG6gMDAuBgorBgEEAYI3AgIKBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHqI6BDhOVExNU1NQAAEAAACXsgjiAwADADUAAAANAA0AKAAAAAYBsR0AAAAPSU5CT01WRDgxMTAzMURCRw==
org.springframework.security.authentication.BadCredentialsException: GSSContext name of the context initiator is null
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:173)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
at java.security.AccessController.doPrivileged(Native Method)
目前,我们仅尝试对单个端点进行身份验证(/protected
),但我们需要使用kerberos身份验证来保护所有端点。
这是web安全配置(相同的代码适用于Spring Boot 1.5.13.RELEASE,但不适用于Spring Boot 2.0.3.RELEASE):
包com.findwise.kerberos.config;
导入com.findwise.kerberos.localhost.LocalhostAuthFilter;
导入com.findwise.kerberos.localhost.LocalhostAuthProvider;
导入org.springframework.beans.factory.annotation.Autowired;
导入org.springframework.beans.factory.annotation.Value;
导入org.springframework.context.annotation.Bean;
导入org.springframework.context.annotation.Configuration;
导入org.springframework.core.io.FileSystemResource;
导入org.springframework.security.authentication.AuthenticationManager;
导入org.springframework.security.config.BeanIds;
导入org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
导入org.springframework.security.config.annotation.web.builders.HttpSecurity;
导入org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
导入org.springframework.security.config.annotation.web.configuration.websecurityConfigureAdapter;
导入org.springframework.security.core.GrantedAuthority;
导入org.springframework.security.core.userdetails.userdetails;
导入org.springframework.security.core.userdetails.userdetails服务;
导入org.springframework.security.core.userdetails.UsernameNotFoundException;
导入org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
导入org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
导入org.springframework.security.kerberos.client.config.SunJaasKrb5LoginConfig;
导入org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter;
导入org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint;
导入org.springframework.security.ldap.userdetails.ldapuserdetails服务;
导入org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
导入java.util.Collection;
/**
*SpringSecurityConfig:
*
*这是我们的主要安全配置-它非常符合
*Spring.IO提供的示例-Spring Security Kerberos。
*
*@作者Peter Gyling-电子邮件:Peter。jorgensen@findwise.com
*@linkhttp://docs.spring.io/spring-security-kerberos/docs/current/reference/htmlsingle/
*/
@配置
@启用Web安全性
公共类SpringSecurityConfig扩展了WebSecurity配置适配器{
@值(“${app.service principal}”)
私有字符串服务主体;
@值(${app.keytab location}”)
私有字符串密钥定位;
@凌驾
受保护的无效配置(HttpSecurity HttpSecurity)引发异常{
httpSecurity
.例外处理()
.authenticationEntryPoint(spnegoEntryPoint())
.和().authorizeRequests().anyRequest().authorized()
.and().addFilterBefore(SPNEGAuthenticationProcessingFilter(authenticationManagerBean()),
BasicAuthenticationFilter.class);
}
/**
*这确保了应用程序安全性的全局配置。
*
*@param auth
*@param路缘服务提供商
*/
@自动连线
受保护的无效配置全局(AuthenticationManagerBuilder身份验证,
LocalhostAuthProvider LocalhostAuthProvider,
KerberosServiceAuthenticationProvider(kerbServiceProvider){
认证
.authenticationProvider(localhostAuthProvider)
.认证提供商(路虎服务提供商);
}
/**
*提供默认的Spring身份验证管理器bean。
*SPNEGAuthenticationProcessingFilter将其用作
*配置的一部分。
*
*@返回
*@抛出异常
*@请参阅SPNEGAuthenticationProcessingFilter
*/
@Bean(name=BeanIds.AUTHENTICATION\u管理器)
@凌驾
公共AuthenticationManager authenticationManagerBean()引发异常{
返回super.authenticationManagerBean();
}
/**
*LocalhostAuthProvider:
*通过LocalAuthFilter和LocalhostAuthProvider提供的用户名提供
*调用Ldap并提取当前用户的角色。
*
*@返回已配置的本地主机身份验证提供程序
*/
@豆子
公共LocalhostAuthProvider LocalhostAuthProvider(){
LocalhostAuthProvider LocalhostAuthProvider=新的LocalhostAuthProvider();
setUserDetailsService(新的KerberosUserDetailsService());
返回localhostAuthProvider;
}
/**
*LocalhostAuthFilter:
*在基于Kerberos的SPNEGO身份验证筛选器之前绘制SPNEGO请求
*和系统的快捷方式,以允许本地用户。(开发人员使用cae)。
*
*@param authenticationManager-标准Spring安全性
*@返回已配置的LocalHostAuth筛选器。
*/
@豆子
公共LocalhostAuthFilter LocalhostAuthFilter(AuthenticationManager AuthenticationManager){
LocalhostAuthFilter LocalhostAuthFilter=新的LocalhostAuthFilter();
localhostAuthFilter.setAuthenticationManager(authenticationManager);
返回localhostAuthFilter;
}
/**
*设置SpnegoEntryPoint以指向登录名
*由login.jsp页面提供的页面。
*
*@返回
*/
@豆子
公共SpnegoEntryPoint SpnegoEntryPoint(){
返回新的SpnegoEntryPoint(“/protected”);
}
/**
*SPNEGAuthenticationProcessingFilter:
*
*这是你的朋友
package com.findwise.kerberos.config;
import com.findwise.kerberos.localhost.LocalhostAuthFilter;
import com.findwise.kerberos.localhost.LocalhostAuthProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.FileSystemResource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.BeanIds;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
import org.springframework.security.kerberos.client.config.SunJaasKrb5LoginConfig;
import org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter;
import org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint;
import org.springframework.security.ldap.userdetails.LdapUserDetailsService;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import java.util.Collection;
/**
* SpringSecurityConfig:
* <p>
* This is our main security configuration - It follows very closely the
* examples provided by Spring.IO - Spring Security Kerberos.
*
* @author Peter Gylling - email: peter.jorgensen@findwise.com
* @link http://docs.spring.io/spring-security-kerberos/docs/current/reference/htmlsingle/
*/
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${app.service-principal}")
private String servicePrincipal;
@Value("${app.keytab-location}")
private String keytabLocation;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.exceptionHandling()
.authenticationEntryPoint(spnegoEntryPoint())
.and().authorizeRequests().anyRequest().authenticated()
.and().addFilterBefore( spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
BasicAuthenticationFilter.class);
}
/**
* This ensures a global configuration for the security of the application.
*
* @param auth
* @param kerbServiceProvider
*/
@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth,
LocalhostAuthProvider localhostAuthProvider,
KerberosServiceAuthenticationProvider kerbServiceProvider) {
auth
.authenticationProvider(localhostAuthProvider)
.authenticationProvider(kerbServiceProvider);
}
/**
* Provide the default Spring Authentication Manager bean.
* This is used by the SpnegoAuthenticationProcessingFilter as
* part of the configuration.
*
* @return
* @throws Exception
* @see SpnegoAuthenticationProcessingFilter
*/
@Bean(name = BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
/**
* LocalhostAuthProvider:
* Provided with the username from the LocalAuthFilter the LocalhostAuthProvider
* calls Ldap and extracts the roles of the current user.
*
* @return a configured localhost auth provider
*/
@Bean
public LocalhostAuthProvider localhostAuthProvider() {
LocalhostAuthProvider localhostAuthProvider = new LocalhostAuthProvider();
localhostAuthProvider.setUserDetailsService(new KerberosUserDetailsService());
return localhostAuthProvider;
}
/**
* LocalhostAuthFilter:
* Graps the SPNEGO request before the Kerberos based SPNEGO authentication filter
* and shortcuts the system to allow for local users. (The developer use cae).
*
* @param authenticationManager - Standard Spring Security
* @return a configured LocalHostAuth filter.
*/
@Bean
public LocalhostAuthFilter localhostAuthFilter(AuthenticationManager authenticationManager) {
LocalhostAuthFilter localhostAuthFilter = new LocalhostAuthFilter();
localhostAuthFilter.setAuthenticationManager(authenticationManager);
return localhostAuthFilter;
}
/**
* Setup SpnegoEntryPoint to point to the login
* page provided by the login.jsp page.
*
* @return
*/
@Bean
public SpnegoEntryPoint spnegoEntryPoint() {
return new SpnegoEntryPoint("/protected");
}
/**
* SpnegoAuthenticationProcessingFilter:
* <p>
* This is your friendly SSO filter, that kindly automatically
* logs the user in if the Browser provides the actual credentials
*
* @param authenticationManager - with BeanIds.AUTHENTICATION_MANAGER
* @return
* @See AuthenticationManager
*/
@Bean
public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
AuthenticationManager authenticationManager) {
SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
filter.setAuthenticationManager(authenticationManager);
return filter;
}
/**
* KerberosServiceAuthenticationProvider:
* <p>
* This bean is needed by the global AuthenticationManager bean as the only
* accepted authentication providers.
* <p>
* To actually provide Spring Security with the required user details the
* LdapUserDetailsService is provided to the service auth provider.
* <p>
* The Ldap service will not be used until the TicketValidator has granted
* general access.
*
* @return - A configured Kerberos Service Auth Provider
* @see SunJaasKerberosTicketValidator
* @see LdapUserDetailsService
*/
@Bean
public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
provider.setTicketValidator(sunJaasKerberosTicketValidator());
provider.setUserDetailsService(new KerberosUserDetailsService());
return provider;
}
/**
* SunJaasKerberosTicketValidator
* <p>
* This bean will on behalf of the web application validate the visiting users provided
* Kerberos Ticket. This will not kick in if the underlying JAAS and KRB5 configuration is
* not working as expected.
* <p>
* Find the values of the servicePrincipal and keytabLocation in application.properties
*
* @return - A Kerberos Ticket Validator
* @see KerberosGlobalConfig
*/
@Bean
public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
ticketValidator.setServicePrincipal(servicePrincipal);
ticketValidator.setKeyTabLocation(new FileSystemResource(keytabLocation));
ticketValidator.setDebug(true);
return ticketValidator;
}
/**
* SunJaasKrb5LoginConfig
* <p>
* This is what you would previously find in a JAAS Conf file.
* <p>
* Find the servicePrincipal and keytabLocation is application.properties
*
* @return a configured JAAS login
* @see SunJaasKrb5LoginConfig
*/
@Bean
public SunJaasKrb5LoginConfig loginConfig() {
SunJaasKrb5LoginConfig loginConfig = new SunJaasKrb5LoginConfig();
loginConfig.setKeyTabLocation(new FileSystemResource(keytabLocation));
loginConfig.setServicePrincipal(servicePrincipal);
loginConfig.setDebug(true);
loginConfig.setIsInitiator(true);
loginConfig.setUseTicketCache(true);
return loginConfig;
}
protected static class KerberosUserDetailsService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(final String s) throws UsernameNotFoundException {
return new UserDetails() {
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return null;
}
@Override
public String getPassword() {
return null;
}
@Override
public String getUsername() {
return s;
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
};
}
}
}