Jboss 原因:java.security.PrivilegedActionException:gssexException:检测到有缺陷的令牌(机制级别:GSSHeader未找到正确的标记)
要实现SSO,我们只需要修改Jboss Spring安全文件并放置kerberos设置配置。 但我们无法理解为什么会出现GSS例外 Kerberos和jboss在不同的机器上运行。请看spring文件的代码,我们有没有出错 krb5.conf文件 Spring-security-07-portal.xml Spring-security-03-auth-mgr.xml 服务器日志 18:03:43879信息[stdout]http-/0.0.0:8080-1 2015-01-06 18:03:43879[http-/0.0.0:8080-1]调试org.springframework.security.web.access.ExceptionTranslationFilter-调用身份验证入口点。 18:03:43879信息[stdout]http-/0.0.0:8080-1 2015-01-06 18:03:43879[http-/0.0.0:8080-1]调试org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint-为请求发回协商头:http://172.18.0.78:8080/suite/designer 18:03:43912信息[stdout]http-/0.0.0:8080-1 2015-01-06 18:03:43912[http-/0.0.0:8080-1]调试org.springframework.security.web.FilterChainProxy-/designer,位于附加过滤器链中10个位置中的第3个位置;触发筛选器:“SPNEGAuthenticationProcessingFilter” 18:03:43913信息[stdout]http-/0.0.0:8080-1 2015-01-06 18:03:43913[http-/0.0.0:8080-1]调试org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter-收到请求的协商头http://172.18.0.78:8080/suite/designer: 协商TLRMTvNTUAABAAAL4II4GAAAAAAAAAAAAAAAAAAAAAAAAHIXAAAAW== 18:03:43917信息[stdout]http-/0.0.0:8080-1 2015-01-06 18:03:43917[http-/0.0.0:8080-1]调试org.springframework.security.authentication.ProviderManager-使用com.appiancorp.suiteapi.security.auth.AuthenticationProviderWrapper进行身份验证尝试 18:03:43918信息[stdout]http-/0.0.0:8080-1 2015-01-06 18:03:43917[http-/0.0.0:8080-1]调试org.springframework.security.extensions.kerberos.kerberberos服务验证提供程序-尝试验证kerberos令牌 18:03:43952信息[stdout]http-/0.0.0:8080-1 2015-01-06 18:03:43951[http-/0.0.0:8080-1]警告com.appiancorp.security.auth.AuthenticationEventLoggerListener-无法检索身份验证详细信息。请更新您的Spring Security XML配置,以便com.appiancorp.Security.auth.AppianAuthenticationDetailsSource用作authenticationDetailsSource。应为com.appiancorp.security.auth.AuthenticationDetails的实例,但为null。 18:03:43963信息[stdout]http-/0.0.0:8080-1 2015-01-06 18:03:43961[http-/0.0.0:8080-1]警告org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter-协商标头无效:协商TlrmtVntuaabaaaal4i4Gaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaw== 18:03:43964信息[stdout]http-/0.0.0.0:8080-1 org.springframework.security.authentication.BadCredentialsException:Kerberos验证未成功 18:03:43964信息[stdout]http-/0.0.0:8080-1,网址:org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateciketsunjaaskerberosticketvalidator.java:69 18:03:43964信息[stdout]http-/0.0.0:8080-1,网址:org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticatekerberserviceoauthenticationprovider.java:86 18:03:43965信息[stdout]http-/0.0.0:8080-1,网址为com.appiancorp.suiteapi.security.auth.AuthenticationProviderWrapper.AuthenticationAuthenticationAuthenticationProviderWrapper.java:86 18:03:43965信息[stdout]http-/0.0.0:8080-1,网址:org.springframework.security.authentication.ProviderManager.authenticateProviderManager.java:156 18:03:43965信息[stdout]http-/0.0.0:8080-1,网址:org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilterSpnegoAuthenticationProcessingFilter.java:147 org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processHttp11Protocol.java:653 18:03:43973信息[stdout]http-/0.0.0:8080-1,网址:org.apache.tomcat.util.net.JIoEndpoint$Worker.runJIoEndpoint.java:926 18:03:43974信息[stdout]http-/0.0.0:8080-1,位于java.lang.Thread.runThread.java:745 18:03:43974信息[stdout]http-/0.0.0.0:8080-1由以下原因引起:java.security.PrivilegedActionException:gssexException:检测到缺陷令牌机制级别:GSSHeader未找到正确的标记 18:03:43974信息[stdout]http-/0.0.0:8080-1位于java.security.AccessController.doPrivilegeNative方法 18:03:43974信息[stdout]http-/0.0.0:8080-1,地址为javax.security.auth.Subject.doassObject.java:415 18:03:43974信息[stdout]http-/0.0.0:8080-1,网址:org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateciketsunjaaskerberosticketvalidator.java:67 18:03:43974信息[stdout]http-/0.0.0.0:8080-1。。。还有45个 18:03:43975信息[stdout]http-/0.0.0.0:8080-1由以下原因引起:GSSExException:有缺陷的令牌数据 CTE机制级别:GSSHeader未找到正确的标记 18:03:43975信息[stdout]http-/0.0.0:8080-1,网址:sun.security.jgss.GSSHeader.GSSHeader.java:97 18:03:43975信息[stdout]http-/0.0.0:8080-1,位于sun.security.jgss.GSSContextImpl.acceptSecContextGSSContextImpl.java:306 18:03:43975 INFO[stdout]http-/0.0.0:8080-1,位于sun.security.jgss.GSSContextImpl.acceptSecContextGSSContextImpl.java:285 18:03:43975 INFO[stdout]http-/0.0.0.0:8080-1位于org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.runSunJaasKerberosTicketValidator.java:146 18:03:43975 INFO[stdout]http-/0.0.0.0:8080-1位于org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.runSunJaasKerberosTicketValidator.java:136 18:03:43975信息[stdout]http-/0.0.0.0:8080-1。。。48多 18:03:43976信息[stdout]http-/0.0.0:8080-1 2015-01-06 18:03:43976[http-/0.0.0:8080-1]调试org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler-重定向到/portal/loginPage.none?Jboss 原因:java.security.PrivilegedActionException:gssexException:检测到有缺陷的令牌(机制级别:GSSHeader未找到正确的标记),jboss,spring-security,Jboss,Spring Security,要实现SSO,我们只需要修改Jboss Spring安全文件并放置kerberos设置配置。 但我们无法理解为什么会出现GSS例外 Kerberos和jboss在不同的机器上运行。请看spring文件的代码,我们有没有出错 krb5.conf文件 Spring-security-07-portal.xml Spring-security-03-auth-mgr.xml 服务器日志 18:03:43879信息[stdout]http-/0.0.0:8080-1 2015-01-06 18:03:
18:03:43977信息[stdout]http-/0.0.0:8080-1 2015-01-06 18:03:43977[http-/0.0.0:8080-1]调试org.springframework.security.web.DefaultRedirectStrategy-重定向到'/suite/portal/loginPage.none?appian_environment=designer&',如果这些文件是作为任何合作商业工具的一部分定制的,请从商业工具中寻找代表。
[libdefaults]
default_realm = LAB.LOCAL
dns_lookup_kdc = false
dns_lookup_realm = false
permitted_enctypes = RC4-HMAC aes128-cts aes256-cts arcfour-hmac-md5
default_tgs_enctypes = RC4-HMAC aes128-cts aes256-cts arcfour-hmac-md5
default_tkt_enctypes = RC4-HMAC aes128-cts aes256-cts arcfour-hmac-md5
[domain_realm]
.lab.local= LAB.LOCAL
lab.local= LAB.LOCAL
[realms]
LAB.LOCAL = {
kdc = 172.18.0.64:88
default_domain = LAB.LOCAL
}
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- Configure security for the web interface. -->
<sec:http pattern="/**" use-expressions="false" entry-point-ref="spnegoEntryPoint" >
<!-- This is needed for CSRF protection and must not be removed -->
<sec:custom-filter ref="csrfChannelProcessingFilter" before="FILTER_SECURITY_INTERCEPTOR" />
<!-- Added a filter for spnego -->
<sec:custom-filter ref="spnegoAuthenticationProcessingFilter" position="PRE_AUTH_FILTER" />
<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<sec:request-cache ref="appianRequestCache"/>
<sec:anonymous enabled="false"/>
<!-- <sec:form-login login-page="#{pageUrls.login}" login-processing-url="/auth"
username-parameter="un" password-parameter="pw"
authentication-success-handler-ref="appianAuthenticationSuccessHandler"
authentication-failure-handler-ref="appianAuthenticationFailureHandler"
authentication-details-source-ref="portalAuthenticationDetailsSource"/> -->
<sec:session-management session-authentication-strategy-ref="portalSessionAuthenticationStrategy"/>
<sec:logout logout-url="#{pageUrls.logout}" invalidate-session="true" success-handler-ref="logoutSuccessHandler"/>
<sec:remember-me services-ref="appianRememberMeServices"/>
</sec:http>
<bean id="spnegoEntryPoint"
class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
<bean id="logoutSuccessHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<property name="defaultTargetUrl" value="/"/>
<property name="alwaysUseDefaultTargetUrl" value="true"/>
</bean>
<bean id="appianRequestCache" class="com.appiancorp.security.auth.AppianHttpSessionRequestCache" />
<!-- These configurations are not yet available through the security namespace,
so we use a BeanPostProcessor to apply settings required by the Portal environment. -->
<bean id="appianSpringSecurityBeanPostProcessor" class="com.appiancorp.security.auth.BeanPostProcessorForPortalAuth">
<property name="allowPostOnlyForAuthentication" value="false"/>
<property name="useForwardForLoginPage" value="true"/>
</bean>
<!--These lines have been added to handle SSO with Kerberos -->
<bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
<property name="failureHandler" ref="failureHandler"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="failureHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/portal/loginPage.none?" />
</bean>
</beans>
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- Spengo authentication entry point -->
<bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
<bean id="spnegoAuthenticationProcessingFilter"
class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<!-- Authentication manager configuration, specifying the class(es) responsible for performing the authentication. -->
<sec:authentication-manager alias="authenticationManager" erase-credentials="true">
<sec:authentication-provider ref="kerberosServiceAuthenticationProviderWrapped"/>
</sec:authentication-manager>
<!-- Need to wrap the Authentication Provider using the Authentication Provider Wrapper class. See Appian Forum for details -->
<bean id="kerberosServiceAuthenticationProviderWrapped" class="com.appiancorp.suiteapi.security.auth.AuthenticationProviderWrapper">
<constructor-arg ref="kerberosServiceAuthenticationProvider"/>
</bean>
<!--Kerberos Authentication Provider -->
<bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
<property name="ticketValidator" ref="kerberosTicketValidator"/>
<property name="userDetailsService" ref="appianUserDetailsServiceNoPwMgmt" />
</bean>
<bean id="kerberosTicketValidator" class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
<property name="servicePrincipal" value="HTTP/user01@lab.local" />
<property name="keyTabLocation" value="file:///usr/local/appian/ear/suite.ear/web.war/WEB-INF/conf/appianrdserver.keytab" />
<property name="debug" value="true" />
</bean>
<bean class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig" >
<property name="debug" value="true" />
<property name="krbConfLocation" value="file:///etc/krb5.conf"/>
</bean>
<bean id="appianAuthenticationProvider" class="com.appiancorp.suiteapi.security.auth.AuthenticationProviderWrapper">
<constructor-arg ref="appianAuthenticationProviderInternal"/>
<constructor-arg ref="scsKeyChangeHandlerNoOp"/>
</bean>
<bean id="appianAuthenticationProviderInternal" class="com.appiancorp.security.auth.AppianAuthenticationProvider">
<constructor-arg ref="appianUserDetailsService"/>
</bean>
<bean id="appianUserDetailsService" class="com.appiancorp.suiteapi.security.auth.AppianUserDetailsService"/>
<bean id="appianUserDetailsServiceForRememberMe" class="com.appiancorp.suiteapi.security.auth.AppianUserDetailsService">
<constructor-arg value="false"/>
</bean>
<bean id="rememberMeConfiguration" class="com.appiancorp.security.auth.rememberme.RememberMeConfiguration">
<constructor-arg name="enabled" value="false"/>
<constructor-arg name="tokenValiditySec" value="1209600"/>
</bean>
<bean id="rememberMeScsHandler" class="com.appiancorp.security.auth.rememberme.RememberMeScsHandler">
<constructor-arg ref="rememberMeConfiguration" />
</bean>
<bean id="appianRememberMeServices" class="com.appiancorp.security.auth.rememberme.AppianPersistentTokenBasedRememberMeServices">
<constructor-arg ref="rememberMeConfiguration"/>
<constructor-arg ref="rememberMeTokenService"/>
<constructor-arg ref="appianUserDetailsServiceForRememberMe"/>
<constructor-arg ref="rememberMeTokenRepository"/>
<constructor-arg ref="rememberMeScsHandler" />
<constructor-arg ref="portalAuthenticationDetailsSource"/>
<property name="seriesLength" value="32"/>
<property name="tokenLength" value="32"/>
</bean>
<bean id="beanPostProcessorForAuthMgr" class="com.appiancorp.security.auth.BeanPostProcessorForAuthMgr">
<property name="authenticationEventPublisher" ref="appianAuthenticationEventPublisher"/>
<property name="rememberMeConfiguration" ref="rememberMeConfiguration"/>
</bean>
<bean id="appianAuthenticationEventPublisher" class="com.appiancorp.security.auth.AppianAuthenticationEventPublisher"/>
<bean id="appianUserDetailsContextMapper" class="com.appiancorp.suiteapi.common.spring.security.BasicUserDetailsContextMapper">
<constructor-arg ref="appianUserDetailsServiceNoPwMgmt"/>
</bean>
<bean id="appianUserDetailsServiceNoPwMgmt" class="com.appiancorp.suiteapi.security.auth.AppianUserDetailsService">
<constructor-arg value="false"/>
</bean>
</beans>