使用Kerberos進行域身份驗證失敗

Question

我的應用程序使用Grails，Spring，Kerberos。

的applicationContext.xml

<beans 
    ... 
    <sec:http entry-point-ref="spnegoEntryPoint"> 
     <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" /> 
     <sec:custom-filter ref="spnegoAuthenticationProcessingFilter" 
      position="BASIC_AUTH_FILTER" /> 
    </sec:http> 

    <bean id="spnegoEntryPoint" 
     class="org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint" /> 

    <bean id="spnegoAuthenticationProcessingFilter" 
     class="org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter"> 
     <property name="authenticationManager" ref="authenticationManager" /> 
    </bean> 

    <sec:authentication-manager alias="authenticationManager"> 
     <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" /> 
    </sec:authentication-manager> 

    <bean id="kerberosServiceAuthenticationProvider" 
     class="org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider"> 
     <property name="ticketValidator"> 
      <bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator"> 
       <property name="servicePrincipal" value="HTTP/my.host.com@MY.DOMAIN.COM" /> 
       <property name="keyTabLocation" value="file:/u/tomcat/app/apache-tomcat-7.0.11/lib/http-web.keytab"/> 
       <property name="debug" value="true" /> 
      </bean> 
     </property> 
     <property name="userDetailsService" ref="dummyUserDetailsService" /> 
    </bean> 

    <bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig"> 
     <property name="debug" value="true" /> 
     <property name="krbConfLocation" value="/etc/krb5.conf" /> 
    </bean> 

    <bean id="dummyUserDetailsService" 
     class="com.spring.security.kerberos.sample.user.DummyUserDetailsService" /> 
</beans> 

當我部署我的應用程序，並在瀏覽器中輸入我的域名登錄/密碼，我得到提琴手以下請求：

GET http://my.host.com:8080/myapp HTTP/1.1 
Accept: text/html, application/xhtml+xml, */* 
Accept-Language: ru-RU 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 
Accept-Encoding: gzip, deflate 
Host: my.host.com:8080 
Cookie: JSESSIONID=EDE49792033A8FC877427704DBE26D85 
Proxy-Connection: Keep-Alive 
DNT: 1 
Authorization: Negotiate YIIHDw...= 

據我瞭解， Kerberos域身份驗證成功。但在網頁上我看到：

java.lang.NullPointerException 
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:162) 
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:151) 
at java.security.AccessController.doPrivileged(Native Method) 
at javax.security.auth.Subject.doAs(Subject.java:422) 
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:66) 
at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64) 
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) 
.... 

NPE出現在行

String user = context.getSrcName().toString(); 

因爲context.getSrcName（）== NULL。 有什麼不對？

P.S .:另外一個時刻：當我輸入錯誤密碼時，它再次向我詢問。

Answer 1

我找到了解決方案：只是將jdk1.8更改爲jdk1.7。