jaas kerberos在錯誤的用戶名/密碼上登錄異常

Question

我試圖建立一個簡單的Active Directory工具，允許我使用Kerberos進行身份驗證。

雖然測試我降落在一個很煩人的問題上！如果我在字段中輸入無效值並提交（AD中不存在的用戶或錯誤的用戶/密碼組合），我得到LoginException（Javadoc）。如果我能夠理解並自動說因輸入錯誤導致登錄失敗，那就太好了。

的問題是，如果我有連接到Active Directory中的問題，或者如果請求超時，我得到相同的異常。如果我打印的痕跡，我可以看到不同的信息，但異常的類型是一樣的...

你知道如果我做錯事，如果我能趕上一些不同的東西，使其工作。我已經試過趕上子類LoginFailedException，但它不起作用，它直接進入LoginException（Javadoc）任務。

這裏是在爲了這兩個問題的跟蹤： 錯誤的用戶名/密碼

javax.security.auth.login.LoginException: Pre-authentication information was invalid (24) 
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source) 
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) 
at java.lang.reflect.Method.invoke(Unknown Source) 
at javax.security.auth.login.LoginContext.invoke(Unknown Source) 
at javax.security.auth.login.LoginContext.access$000(Unknown Source) 
at javax.security.auth.login.LoginContext$4.run(Unknown Source) 
at java.security.AccessController.doPrivileged(Native Method) 
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source) 
at javax.security.auth.login.LoginContext.login(Unknown Source) 
at com.banctecmtl.ca.vlp.tools.ActiveDirectoryValidator.validateUser(ActiveDirectoryValidator.java:80) 
at com.banctecmtl.ca.vlp.controller.UserAccessController.authentify(UserAccessController.java:161) 
at com.banctecmtl.ca.vlp.view.webview.server.UserAccessServiceImpl.authenticate(UserAccessServiceImpl.java:23) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) 
at java.lang.reflect.Method.invoke(Unknown Source) 
at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:569) 
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:208) 
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:248) 
at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) 
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487) 
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:362) 
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216) 
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181) 
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:729) 
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405) 
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) 
at org.mortbay.jetty.handler.RequestLogHandler.handle(RequestLogHandler.java:49) 
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) 
at org.mortbay.jetty.Server.handle(Server.java:324) 
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505) 
at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:843) 
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:647) 
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211) 
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380) 
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395) 
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488) 
Caused by: KrbException: Pre-authentication information was invalid (24) 
at sun.security.krb5.KrbAsRep.<init>(Unknown Source) 
at sun.security.krb5.KrbAsReq.getReply(Unknown Source) 
at sun.security.krb5.Credentials.sendASRequest(Unknown Source) 
at sun.security.krb5.Credentials.acquireTGT(Unknown Source) 
... 42 more 
Caused by: KrbException: Identifier doesn't match expected value (906) 
at sun.security.krb5.internal.KDCRep.init(Unknown Source) 
at sun.security.krb5.internal.ASRep.init(Unknown Source) 
at sun.security.krb5.internal.ASRep.<init>(Unknown Source) 
... 46 more 

活動目錄可達（禁用網卡：P）

javax.security.auth.login.LoginException: ADNAMEHERE.LAN 
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source) 
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) 
at java.lang.reflect.Method.invoke(Unknown Source) 
at javax.security.auth.login.LoginContext.invoke(Unknown Source) 
at javax.security.auth.login.LoginContext.access$000(Unknown Source) 
at javax.security.auth.login.LoginContext$4.run(Unknown Source) 
at java.security.AccessController.doPrivileged(Native Method) 
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source) 
at javax.security.auth.login.LoginContext.login(Unknown Source) 
at com.banctecmtl.ca.vlp.tools.ActiveDirectoryValidator.validateUser(ActiveDirectoryValidator.java:80) 
at com.banctecmtl.ca.vlp.controller.UserAccessController.authentify(UserAccessController.java:161) 
at com.banctecmtl.ca.vlp.view.webview.server.UserAccessServiceImpl.authenticate(UserAccessServiceImpl.java:23) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) 
at java.lang.reflect.Method.invoke(Unknown Source) 
at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:569) 
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:208) 
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:248) 
at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) 
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487) 
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:362) 
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216) 
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181) 
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:729) 
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405) 
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) 
at org.mortbay.jetty.handler.RequestLogHandler.handle(RequestLogHandler.java:49) 
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) 
at org.mortbay.jetty.Server.handle(Server.java:324) 
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505) 
at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:843) 
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:647) 
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211) 
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380) 
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395) 
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488) 
Caused by: java.net.UnknownHostException: ADNAMEHERE.LAN 
at java.net.Inet6AddressImpl.lookupAllHostAddr(Native Method) 
at java.net.InetAddress$1.lookupAllHostAddr(Unknown Source) 
at java.net.InetAddress.getAddressFromNameService(Unknown Source) 
at java.net.InetAddress.getAllByName0(Unknown Source) 
at java.net.InetAddress.getAllByName(Unknown Source) 
at java.net.InetAddress.getAllByName(Unknown Source) 
at java.net.InetAddress.getByName(Unknown Source) 
at sun.security.krb5.internal.UDPClient.<init>(Unknown Source) 
at sun.security.krb5.KrbKdcReq$KdcCommunication.run(Unknown Source) 
at java.security.AccessController.doPrivileged(Native Method) 
at sun.security.krb5.KrbKdcReq.send(Unknown Source) 
at sun.security.krb5.KrbKdcReq.send(Unknown Source) 
at sun.security.krb5.KrbKdcReq.send(Unknown Source) 
at sun.security.krb5.KrbAsReq.send(Unknown Source) 
at sun.security.krb5.Credentials.sendASRequest(Unknown Source) 
at sun.security.krb5.Credentials.acquireTGT(Unknown Source) 
... 42 more 

非常感謝！

Answer 1

可以區分問題的感謝原因LoginException.getCause()。如果該例外情況可用，則可能是IOException或KrbException。

我使用this good example作爲測試用例並添加以下的異常處理：

try { 
    // Oid mechanism = use Kerberos V5 as the security mechanism. 
    krb5Oid = new Oid("1.2.840.113554.1.2.2"); 
    Client client = new Client(); 
    client.login(username, password); 
} 
catch (LoginException e) { 
    e.printStackTrace(); 
    System.err.println("There was an error during the JAAS login"); 
    Throwable t = e.getCause(); 
    if (t instanceof IOException) { 
     System.err.println("Network issue"); 
    } else if (t instanceof KrbException) { 
     System.err.println("Kerberos issue"); 
    } else if (t != null) { 
     System.err.println(t.getClass()); 
    } 
    System.exit(-1); 
} 

在這方面，KrbException不能區分的無效的Kerberos客戶端配置了一個無效的用戶名和密碼，在krb5.conf或任何其他參數像拼錯的境界。

但由於IOException，你是肯定的ActiveDirectory的服務器不可用，除非DNS名稱或IP地址是錯誤的設置。

所以，如果你的設置是正確的，並適用於至少一個用戶，你會得到一個IOException爲LoginException原因時，ActiveDirectory中不可用，而對於像未知的用戶名或密碼無效任何身份驗證問題上KrbException。

順便說，我同意你說的異常處理是粗略的，大概因爲Kerberos協議棧實現本身只拋出KrbException沒有更多的細節。

如果第一個選項沒有提供足夠的細節和現有的代碼，您應該創建自己的LoginModule繼承com.sun.security.auth.module.Krb5LoginModule根據根本原因引發不同的異常。我邀請您閱讀最新的OpenJDK源代碼Krb5LoginModule。