1. 首頁
  2. 問答
  3. 啓用在Java

啓用在Java

2013-03-13 29 views
11

Kerberos的詳細記錄我有一個基於Java的Web應用程序,它接受一個包含用戶名和密碼登錄網絡形式的內容,並使用Kerberos到基於Windows的域進行身份驗證。啓用在Java

KDC地址顯然被配置爲在每次查找時映射到不同的IP地址,這可以通過使用命令行中的ping命令來確認。

該調用立即響應大多數請求,但響應間歇性地緩慢(5-10秒甚至更長)。我認爲這可能是由於使用了哪個域控制器。

我試圖打開kerberos日誌記錄,但沒有顯示域控制器的IP地址。我該如何開啓更詳細的日誌記錄來嘗試識別惡意域控制器?

代碼摘錄從文件系統中獲取kerb.conf和kerb_context.conf。

的kerb.conf是:

[libdefaults] 
default_realm = EXAMPLE.COM 

[realms] 
CYMRU.NHS.UK = { 
     kdc = example.com:88 
     admin_server = example.com 
     kpasswd_server = example.com 
}

的kerb_context.conf是:

primaryLoginContext { 
     com.sun.security.auth.module.Krb5LoginModule required 
     useTicketCache=false 
     refreshKrb5Config=true 
     debug=true; 
};

示例源是:

static NadexUser executePerformLogin(String username, String password) throws LoginException { 
      char[] passwd = password.toCharArray(); 
      String kerbConf = ERXFileUtilities.pathForResourceNamed("nadex/kerb.conf", "RSCorp", null); 
      String kerbContextConf = ERXFileUtilities.pathURLForResourceNamed("nadex/kerb_context.conf", "RSCorp", null).toExternalForm(); 
      System.setProperty("java.security.krb5.conf", kerbConf); 
      System.setProperty("java.security.auth.login.config", kerbContextConf); 
      try { 
        LoginContext lc = new LoginContext("primaryLoginContext", new UserNamePasswordCallbackHandler(username, password)); 
        lc.login(); 
        return new _NadexUser(lc.getSubject()); 
      } 
      catch (javax.security.auth.login.LoginException le) { 
        throw new LoginException("Failed to login : " + le.getLocalizedMessage(), le); 
      } 
    }

來源

2013-03-13 Mark Wardle

回答

1

我沒有找到一個辦法把在這樣詳細的日誌記錄上,而是決定採用不同的方法。下面的代碼是一個自包含的應用程序,只需要在同一個目錄中有一個jaas.conf配置文件。

一個例子的Jaas.conf與此短的測試應用中使用被示出:

primaryLoginContext { 
     com.sun.security.auth.module.Krb5LoginModule required 
     useTicketCache=false 
     refreshKrb5Config=true 
     debug=false; 
};

此代碼是謹慎地設置系統屬性sun.net.inetaddr.ttl避免Java高速緩存的結果DNS查找。就我而言,每次請求時DNS查找都會發生變化。這是一段相當粗糙的代碼,但會演示網絡中任何配置不當或表現不佳的KDC。

import java.io.BufferedReader; 
import java.io.File; 
import java.io.IOException; 
import java.io.InputStreamReader; 
import java.math.BigDecimal; 
import java.math.RoundingMode; 
import java.net.InetAddress; 
import java.net.MalformedURLException; 
import java.net.UnknownHostException; 
import java.util.Date; 
import java.util.HashMap; 
import java.util.Set; 
import java.util.Vector; 

import javax.security.auth.callback.Callback; 
import javax.security.auth.callback.CallbackHandler; 
import javax.security.auth.callback.NameCallback; 
import javax.security.auth.callback.PasswordCallback; 
import javax.security.auth.callback.UnsupportedCallbackException; 
import javax.security.auth.login.LoginContext; 

public class TestNadex { 
    private static final String DEFAULT_HOST = "cymru.nhs.uk"; 

    public static void main(String[] args) { 
     System.setProperty("sun.net.inetaddr.ttl", "0"); 
     String username=null; 
     String password=null; 
     try { 
      BufferedReader br = new BufferedReader(new InputStreamReader(System.in)); 
      System.out.println("Enter username: "); 
      username = br.readLine().trim(); 
      System.out.println("Enter password: "); 
      password = br.readLine().trim(); 
      testHost(DEFAULT_HOST, username, password); 
     } catch (IOException e1) { 
      // TODO Auto-generated catch block 
      e1.printStackTrace(); 
     } 
    } 

    static void testHost(String host, String username, String password) { 
     HashMap<String, Vector<Long>> results = new HashMap<String, Vector<Long>>(); 
     for (int i=0; i<200; i++) { 
      InetAddress ia; 
      try { 
       ia = InetAddress.getByName(host); 
       long startTime = System.currentTimeMillis(); 
       executePerformLogin(ia.getHostAddress(), username, password); 
       long endTime = System.currentTimeMillis(); 
       long duration = endTime - startTime; 
       if (results.containsKey(ia.toString()) == false) { 
        Vector<Long> v = new Vector<Long>(); 
        v.add(duration); 
        results.put(ia.toString(), v); 
       } 
       else { 
        Vector<Long> v = results.get(ia.toString()); 
        v.add(duration); 
       } 
       Thread.sleep(1000); 
      } catch (UnknownHostException e) { 
       System.out.println("Unknown host: " + host); 
       System.exit(1); 
      } catch (MalformedURLException e) { 
       e.printStackTrace(); 
      } catch (InterruptedException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } 
     } 

     Set<String> keys = results.keySet(); 
     for (String key : keys) { 
      System.out.println("For address: " + key); 
      Vector<Long> times = results.get(key); 
      int count = times.size(); 
      long total = 0; 
      for (Long t : times) { 
       System.out.println(t + " milliseconds"); 
       total += t; 
      } 
      System.out.println("Mean duration: " + new BigDecimal(total).divide(new BigDecimal(count), RoundingMode.HALF_UP)); 
     } 
    } 

    static void executePerformLogin(String hostname, String username, String password) throws MalformedURLException { 
     System.setProperty("java.security.krb5.realm", "CYMRU.NHS.UK"); 
     System.setProperty("java.security.krb5.kdc", hostname); 
     File jaas = new File("jaas.conf"); 
     String jaasconf = jaas.toURI().toURL().toExternalForm(); 
     System.setProperty("java.security.auth.login.config", jaasconf); 
     //  System.setProperty("java.security.krb5.realm", "cymru.nhs.uk"); 
     //  System.setProperty("java.security.krb5.kdc", "cymru.nhs.uk"); 
     try { 
      System.out.println("Performing NADEX login for username: " + username + " at " + new Date() + " to server " + hostname); 
      LoginContext lc = new LoginContext("primaryLoginContext", new UserNamePasswordCallbackHandler(username, password)); 
      lc.login(); 
      System.out.println("Successful login for " + lc.getSubject().toString() + " at " + new Date()); 
     } 
     catch (javax.security.auth.login.LoginException le) { 
      System.err.println("Failed to login: " + le); 
     } 
    } 

    public static class UserNamePasswordCallbackHandler implements CallbackHandler { 
     private final String _userName; 
     private final String _password; 

     public UserNamePasswordCallbackHandler(String userName, String password) { 
      _userName = userName; 
      _password = password; 
     } 

     public void handle(Callback[] callbacks) throws IOException, 
     UnsupportedCallbackException { 
      for (Callback callback : callbacks) { 
       if (callback instanceof NameCallback && _userName != null) { 
        ((NameCallback) callback).setName(_userName); 
       } 
       else if (callback instanceof PasswordCallback && _password != null) { 
        ((PasswordCallback) callback).setPassword(_password.toCharArray()); 
       } 
      } 
     } 
    } 
}

來源

2013-03-14 14:35:42

15

您可以通過系統屬性sun.security.krb5.debug設置true啓用日誌記錄。

Oracle documentation

來源

2013-11-05 13:52:19

+1

'-Dsun.security.krb5.debug = TRUE;我複製並粘貼足夠的時間,所以我想我會做它一個班輪。 – 2017-10-12 15:23:02

相關問題

 相關問題