1. 首頁
  2. 問答
  3. 當CAS部署時spnego身份驗證停止工作

當CAS部署時spnego身份驗證停止工作

2013-04-30 63 views
0

我有一個正在工作的tomcat實例,其中tomcat-manager applet使用SPNEGO進行身份驗證。 當我部署CAS - 配置爲使用SPNEGO - 會發生以下情況:當CAS部署時spnego身份驗證停止工作

  • 部署之後,無論是經理小程序和CAS工作正常
  • tomcat的重啓後,他們沒有工作,兩個他們拋出異常(見下文)
  • 如果我取消部署CAS,經理小程序仍不能正常工作,直到tomcat的重啓

我假定應用程序應該使用CAS不修改其他應用程序的行爲,因此,爲authenti陽離子是自願的。如果這是真的,那麼這種行爲將是一個錯誤。如果沒有,那麼我會假定CAS應該取代該應用程序的身份驗證,在這種情況下,它仍然是一個錯誤。 但是我也假設我錯過了關於CAS/tomcat應該如何工作的一些重要信息。 總之:

Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.222Z tomcat http-bio-8080-exec-1 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/ HTTP/1.1" 302 - 
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.301Z tomcat http-bio-8080-exec-2 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=146B55AA6642928501CA00F62409FCE8 HTTP/1.1" 401 2486 
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.348Z tomcat http-bio-8080-exec-3 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=146B55AA6642928501CA00F62409FCE8 HTTP/1.1" 500 1000 
Apr 30 08:57:04 [email protected] Apr 30, 2013 6:57:03 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate 
Apr 30 08:57:04 [email protected] SEVERE: Unable to login as the service principal 
Apr 30 08:57:04 [email protected] javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.accept 
Apr 30 08:57:04 [email protected] at javax.security.auth.login.LoginContext.init(LoginContext.java:273) 
Apr 30 08:57:04 [email protected] at javax.security.auth.login.LoginContext.<init>(LoginContext.java:349) 
Apr 30 08:57:04 [email protected] at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:195) 
Apr 30 08:57:04 [email protected] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544) 
Apr 30 08:57:04 [email protected] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) 
Apr 30 08:57:04 [email protected] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) 
Apr 30 08:57:04 [email protected] at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) 
Apr 30 08:57:04 [email protected] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) 
Apr 30 08:57:04 [email protected] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) 
Apr 30 08:57:04 [email protected] at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987) 
Apr 30 08:57:04 [email protected] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) 
Apr 30 08:57:04 [email protected] at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309) 
Apr 30 08:57:04 [email protected] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
Apr 30 08:57:04 [email protected] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
Apr 30 08:57:04 [email protected] at java.lang.Thread.run(Thread.java:722)
:試圖登錄到管理器小程序時,它是一個錯誤被報告,和/或我應該更多地瞭解CAS/tomcat的應該是如何工作的

異常(在哪裏?)

同樣與CAS:

Apr 30 08:59:58 127.0.0.1/127.0.0.1 1 2013-04-30T06:59:58.104Z tomcat http-bio-8080-exec-4 21438 192.168.1.10 - - [30/Apr/2013:06:59:58 +0000] "GET /cas/ HTTP/1.1" 302 - 
Apr 30 08:59:58 127.0.0.1/127.0.0.1 1 2013-04-30T06:59:58.937Z tomcat http-bio-8080-exec-5 21438 192.168.1.10 - - [30/Apr/2013:06:59:58 +0000] "GET /cas/login HTTP/1.1" 401 954 
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:58,761 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /cas/> 
Apr 30 08:59:59 [email protected] jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException 
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.processKerberos(Authentication.java:447) 
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.processSpnego(Authentication.java:346) 
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.process(Authentication.java:235) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHandler.java:70) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostProcessingAuthenticationHandler.java:85) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody3$advice(AbstractPreAndPostProcessingAuthenticationHandler.java:57) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:1) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticateAndObtainPrincipal(AuthenticationManagerImpl.java:93) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody0(AbstractAuthenticationManager.java:57) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody1$advice(AbstractAuthenticationManager.java:57) 
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:1) 
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 

[... 149 more] 

Apr 30 08:59:59 [email protected] Caused by: java.lang.reflect.InvocationTargetException 
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 
Apr 30 08:59:59 [email protected] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
Apr 30 08:59:59 [email protected] at java.lang.reflect.Method.invoke(Method.java:601) 
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication$ServerAction.run(Authentication.java:511) 
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.processKerberos(Authentication.java:430) 
Apr 30 08:59:59 [email protected] ... 160 more 
Apr 30 08:59:59 [email protected] Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:81) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153) 
Apr 30 08:59:59 [email protected] ... 166 more 
Apr 30 08:59:59 [email protected] Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication 
Apr 30 08:59:59 [email protected] at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:796) 
Apr 30 08:59:59 [email protected] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:667) 
Apr 30 08:59:59 [email protected] at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580) 
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 
Apr 30 08:59:59 [email protected] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
Apr 30 08:59:59 [email protected] at java.lang.reflect.Method.invoke(Method.java:601) 
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) 
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) 
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721) 
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719) 
Apr 30 08:59:59 [email protected] at java.security.AccessController.doPrivileged(Native Method) 
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718) 
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.login(LoginContext.java:590) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSUtil.login(GSSUtil.java:255) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:334) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:76) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:74) 
Apr 30 08:59:59 [email protected] at java.security.AccessController.doPrivileged(Native Method) 
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:73) 
Apr 30 08:59:59 [email protected] ... 171 more 
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:59,163 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler failed authenticating unknown> 
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:59,171 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN 
Apr 30 08:59:59 [email protected] ============================================================= 
Apr 30 08:59:59 [email protected] WHO: unknown 
Apr 30 08:59:59 [email protected] WHAT: supplied credentials: unknown 
Apr 30 08:59:59 [email protected] ACTION: AUTHENTICATION_FAILED 
Apr 30 08:59:59 [email protected] APPLICATION: CAS 
Apr 30 08:59:59 [email protected] WHEN: Tue Apr 30 06:59:59 GMT 2013 
Apr 30 08:59:59 [email protected] CLIENT IP ADDRESS: 192.168.1.10 
Apr 30 08:59:59 [email protected] SERVER IP ADDRESS: 192.168.1.29 
Apr 30 08:59:59 [email protected] ============================================================= 
Apr 30 08:59:59 [email protected] > 
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:59,174 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN 
Apr 30 08:59:59 [email protected] ============================================================= 
Apr 30 08:59:59 [email protected] WHO: unknown 
Apr 30 08:59:59 [email protected] WHAT: :jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException 
Apr 30 08:59:59 [email protected] ACTION: TICKET_GRANTING_TICKET_NOT_CREATED 
Apr 30 08:59:59 [email protected] APPLICATION: CAS 
Apr 30 08:59:59 [email protected] WHEN: Tue Apr 30 06:59:59 GMT 2013 
Apr 30 08:59:59 [email protected] CLIENT IP ADDRESS: 192.168.1.10 
Apr 30 08:59:59 [email protected] SERVER IP ADDRESS: 192.168.1.29 
Apr 30 08:59:59 [email protected] ============================================================= 
Apr 30 08:59:59 [email protected] >

來源

2013-04-30 Árpád Magosányi

回答

0

看來你的Jaas.conf編寫不當。例外

javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.accept

基本上意味着您在jaas.conf中缺少一個條目。在裏面你必須寫的是tomcat/conf文件夾/修改的Jaas.conf

一個模塊的例子如下(此追加對現有的Jaas.conf): -

com.sun.security.jgss.krb5.accept { 
com.sun.security.auth.module.Krb5LoginModule required 
doNotPrompt=true 
principal="YOUR PRINCIPAL ASSOCIATED WITH KEYTAB" 
useKeyTab=true 
keyTab="CORRECT KEYTAB FILE" 
storeKey=true 
debug=true; 
};

這是ofcourse假設你有服務器端的密鑰表。這也假設你沒有在cas部署中手動指定一個自定義jaas.conf(也可以有其他一些名字)。在自定義部署的情況下,將此條目附加到自定義jaas.conf

我假設(這裏我可能是錯的),cas是客戶端。在這種情況下,你需要在默認的jaas.conf中指定一個com.sun.security.jgss.krb5.initiate模塊(我不知道它的位置或應該在哪裏)。在你可以使用使用SSO(單點登錄驗證): -

useTicketCache=true

,並說明useKeyTab = false,這應該皮卡默認證書,並生成一個主體名稱。

如果仍然有問題,給在Tomcat和CAS設備

來源

2013-05-02 11:24:09

+0

所有* conf文件的輸出,我相信我的Jaas.conf是正確的。如果沒有部署CAS,SPNEGO會工作。 'git diff 0a9330fd0758e6a19a6491b1e191651623408a89 - tomcat7 default/tomcat7'的輸出位於http://paste.ubuntu.com/5626376/ git diff 3d44888d193d541d97d8410db1c5320fd8d734ab - share/tomcat7 *的輸出位於http:// paste。 Ubuntu Linux系統。com/5626378/ – 2013-05-02 16:17:40

+0

糾纏我的是你已經在jaas領域中指定了appname作爲「PortalRealm」,而你在jaas.conf中沒有這樣的條目。我不知道這是否會解決你的問題,但你可以嘗試兩件事。首先使用Portal Realm和isInitiatore = false在tomcat jaas.conf中定義一個條目。其次設置選項-Djava.security.auth.login.config =「你的路徑」,要絕對確保cas在啓動期間沒有設置其他jaas文件 – 2013-05-05 18:21:11

+0

我想我找到了問題所在。我正在試驗我的tomcat並試圖重現這個問題。 JAAS領域只在客戶端試圖訪問它時調用(在你的情況下它是cas)。用下面的格式在你的tomcat jaas.conf中寫入一個條目: - PortalRealm {com.sun.security.auth.module.Krb5LoginModule required ...};並用您在接受條目中指定的相同選項填充它 – 2013-05-07 11:46:36

相關問題

 相關問題