我有一個正在工作的tomcat實例,其中tomcat-manager applet使用SPNEGO進行身份驗證。 當我部署CAS - 配置爲使用SPNEGO - 會發生以下情況:當CAS部署時spnego身份驗證停止工作
- 部署之後,無論是經理小程序和CAS工作正常
- tomcat的重啓後,他們沒有工作,兩個他們拋出異常(見下文)
- 如果我取消部署CAS,經理小程序仍不能正常工作,直到tomcat的重啓
我假定應用程序應該使用CAS不修改其他應用程序的行爲,因此,爲authenti陽離子是自願的。如果這是真的,那麼這種行爲將是一個錯誤。如果沒有,那麼我會假定CAS應該取代該應用程序的身份驗證,在這種情況下,它仍然是一個錯誤。 但是我也假設我錯過了關於CAS/tomcat應該如何工作的一些重要信息。 總之:
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.222Z tomcat http-bio-8080-exec-1 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/ HTTP/1.1" 302 -
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.301Z tomcat http-bio-8080-exec-2 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=146B55AA6642928501CA00F62409FCE8 HTTP/1.1" 401 2486
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.348Z tomcat http-bio-8080-exec-3 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=146B55AA6642928501CA00F62409FCE8 HTTP/1.1" 500 1000
Apr 30 08:57:04 [email protected] Apr 30, 2013 6:57:03 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate
Apr 30 08:57:04 [email protected] SEVERE: Unable to login as the service principal
Apr 30 08:57:04 [email protected] javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.accept
Apr 30 08:57:04 [email protected] at javax.security.auth.login.LoginContext.init(LoginContext.java:273)
Apr 30 08:57:04 [email protected] at javax.security.auth.login.LoginContext.<init>(LoginContext.java:349)
Apr 30 08:57:04 [email protected] at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:195)
Apr 30 08:57:04 [email protected] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
Apr 30 08:57:04 [email protected] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
Apr 30 08:57:04 [email protected] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
Apr 30 08:57:04 [email protected] at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
Apr 30 08:57:04 [email protected] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
Apr 30 08:57:04 [email protected] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
Apr 30 08:57:04 [email protected] at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)
Apr 30 08:57:04 [email protected] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
Apr 30 08:57:04 [email protected] at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
Apr 30 08:57:04 [email protected] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
Apr 30 08:57:04 [email protected] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
Apr 30 08:57:04 [email protected] at java.lang.Thread.run(Thread.java:722)
:試圖登錄到管理器小程序時,它是一個錯誤被報告,和/或我應該更多地瞭解CAS/tomcat的應該是如何工作的
異常(在哪裏?)
同樣與CAS:
Apr 30 08:59:58 127.0.0.1/127.0.0.1 1 2013-04-30T06:59:58.104Z tomcat http-bio-8080-exec-4 21438 192.168.1.10 - - [30/Apr/2013:06:59:58 +0000] "GET /cas/ HTTP/1.1" 302 -
Apr 30 08:59:58 127.0.0.1/127.0.0.1 1 2013-04-30T06:59:58.937Z tomcat http-bio-8080-exec-5 21438 192.168.1.10 - - [30/Apr/2013:06:59:58 +0000] "GET /cas/login HTTP/1.1" 401 954
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:58,761 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /cas/>
Apr 30 08:59:59 [email protected] jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.process(Authentication.java:235)
Apr 30 08:59:59 [email protected] at org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHandler.java:70)
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostProcessingAuthenticationHandler.java:85)
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody3$advice(AbstractPreAndPostProcessingAuthenticationHandler.java:57)
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:1)
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticateAndObtainPrincipal(AuthenticationManagerImpl.java:93)
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody0(AbstractAuthenticationManager.java:57)
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody1$advice(AbstractAuthenticationManager.java:57)
Apr 30 08:59:59 [email protected] at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:1)
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[... 149 more]
Apr 30 08:59:59 [email protected] Caused by: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
Apr 30 08:59:59 [email protected] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Apr 30 08:59:59 [email protected] at java.lang.reflect.Method.invoke(Method.java:601)
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication$ServerAction.run(Authentication.java:511)
Apr 30 08:59:59 [email protected] at jcifs.spnego.Authentication.processKerberos(Authentication.java:430)
Apr 30 08:59:59 [email protected] ... 160 more
Apr 30 08:59:59 [email protected] Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:81)
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
Apr 30 08:59:59 [email protected] ... 166 more
Apr 30 08:59:59 [email protected] Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
Apr 30 08:59:59 [email protected] at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:796)
Apr 30 08:59:59 [email protected] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:667)
Apr 30 08:59:59 [email protected] at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580)
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Apr 30 08:59:59 [email protected] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
Apr 30 08:59:59 [email protected] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Apr 30 08:59:59 [email protected] at java.lang.reflect.Method.invoke(Method.java:601)
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
Apr 30 08:59:59 [email protected] at java.security.AccessController.doPrivileged(Native Method)
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
Apr 30 08:59:59 [email protected] at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
Apr 30 08:59:59 [email protected] at sun.security.jgss.GSSUtil.login(GSSUtil.java:255)
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:334)
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:76)
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:74)
Apr 30 08:59:59 [email protected] at java.security.AccessController.doPrivileged(Native Method)
Apr 30 08:59:59 [email protected] at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:73)
Apr 30 08:59:59 [email protected] ... 171 more
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:59,163 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler failed authenticating unknown>
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:59,171 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Apr 30 08:59:59 [email protected] =============================================================
Apr 30 08:59:59 [email protected] WHO: unknown
Apr 30 08:59:59 [email protected] WHAT: supplied credentials: unknown
Apr 30 08:59:59 [email protected] ACTION: AUTHENTICATION_FAILED
Apr 30 08:59:59 [email protected] APPLICATION: CAS
Apr 30 08:59:59 [email protected] WHEN: Tue Apr 30 06:59:59 GMT 2013
Apr 30 08:59:59 [email protected] CLIENT IP ADDRESS: 192.168.1.10
Apr 30 08:59:59 [email protected] SERVER IP ADDRESS: 192.168.1.29
Apr 30 08:59:59 [email protected] =============================================================
Apr 30 08:59:59 [email protected] >
Apr 30 08:59:59 [email protected] 2013-04-30 06:59:59,174 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Apr 30 08:59:59 [email protected] =============================================================
Apr 30 08:59:59 [email protected] WHO: unknown
Apr 30 08:59:59 [email protected] WHAT: :jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 [email protected] ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
Apr 30 08:59:59 [email protected] APPLICATION: CAS
Apr 30 08:59:59 [email protected] WHEN: Tue Apr 30 06:59:59 GMT 2013
Apr 30 08:59:59 [email protected] CLIENT IP ADDRESS: 192.168.1.10
Apr 30 08:59:59 [email protected] SERVER IP ADDRESS: 192.168.1.29
Apr 30 08:59:59 [email protected] =============================================================
Apr 30 08:59:59 [email protected] >
所有* conf文件的輸出,我相信我的Jaas.conf是正確的。如果沒有部署CAS,SPNEGO會工作。 'git diff 0a9330fd0758e6a19a6491b1e191651623408a89 - tomcat7 default/tomcat7'的輸出位於http://paste.ubuntu.com/5626376/ git diff 3d44888d193d541d97d8410db1c5320fd8d734ab - share/tomcat7 *的輸出位於http:// paste。 Ubuntu Linux系統。com/5626378/ – 2013-05-02 16:17:40
糾纏我的是你已經在jaas領域中指定了appname作爲「PortalRealm」,而你在jaas.conf中沒有這樣的條目。我不知道這是否會解決你的問題,但你可以嘗試兩件事。首先使用Portal Realm和isInitiatore = false在tomcat jaas.conf中定義一個條目。其次設置選項-Djava.security.auth.login.config =「你的路徑」,要絕對確保cas在啓動期間沒有設置其他jaas文件 – 2013-05-05 18:21:11
我想我找到了問題所在。我正在試驗我的tomcat並試圖重現這個問題。 JAAS領域只在客戶端試圖訪問它時調用(在你的情況下它是cas)。用下面的格式在你的tomcat jaas.conf中寫入一個條目: - PortalRealm {com.sun.security.auth.module.Krb5LoginModule required ...};並用您在接受條目中指定的相同選項填充它 – 2013-05-07 11:46:36