我将 Kerberos Mod 与 apache 一起使用,以在我们托管在 Ubuntu 服务器上的内部网站上对 Windows 用户进行身份验证。获取数据的后端是tomcat。有问题的站点向 https://siteName/user/logMeIn 发出 GET 请求.当我尝试从标题中获取用户名时,它不存在。
我试过添加 RequestHeader 设置 X-Remote-User expr=%{REMOTE_USER} RequestHeader 设置 X-REMOTE-USER %{REMOTE_USER}s 在不同的场合到 apache 虚拟主机文件
apache 虚拟主机文件
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin [serverAdmin]
ServerName [SiteName]
ServerAlias [SiteName]
DocumentRoot [Directory]
JkMount /ConferenceSchedulerService/* ConferenceSchedulerServicetomcat
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile [CertFilePath]
SSLCertificateKeyFile [CertKeyFilePath]
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
<Directory "/var/www/schedulemeetingtestcom/html">
AuthzSendForbiddenOnFailure On
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName "SSO Failed please enter you windows login"
AuthType Kerberos
KrbAuthRealms CORP.COMPANYNAME.COM
KrbServiceName HTTP/schedulemeetingtest.com
#KrbServiceName Any
Krb5KeyTab /etc/krb5.keytab
KrbMethodK5Passwd off
KrbLocalUserMapping on
KrbSaveCredentials on
SSLRequireSSL
Require valid-user
RequestHeader set X-Remote-User expr=%{REMOTE_USER}
#RequestHeader set X-REMOTE-USER %{REMOTE_USER}s
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
Java Spring 代码
@Controller
@RequestMapping("/user")
public class UserController extends BaseController {
@Autowired
ApplicationUserAccessLdapService ldapSrv;
@Autowired
private HttpServletRequest request;
@PostMapping(value="/logMeIn")
public ResponseEntity<?> auth(
){
request.getHeaderNames().toString();
Enumeration<String> header = request.getHeaderNames();
Map<String, String> map = new HashMap<String, String>();
while (header.hasMoreElements()) {
String key = (String) header.nextElement();
String value = request.getHeader(key);
map.put(key, value);
}
try{
map.put("RemoteUserName", request.getRemoteUser());
}catch(Exception e){
map.put("RemoteUserName", "Unknown");
}
try{
map.put("RemoteAddress", request.getRemoteAddr());
}catch(Exception e){
map.put("RemoteAddress", "Unknown");
}
try{
map.put("AuthType", request.getAuthType());
}catch(Exception e){
map.put("AuthType", "Unknown");
}
try{
map.put("SeverletPath", request.getServletPath());
}catch(Exception e){
map.put("SeverletPath", "Unknown");
}
try{
map.put("PrincipalName", request.getUserPrincipal().getName());
}catch(Exception e){
map.put("PrincipalName", "Unknown");
}
return new ResponseEntity(map,HttpStatus.OK);
}
}
我根本没有得到用户名,可能是因为 kerberos mod 在初始身份验证后没有传递用户名。但我仍然需要它 以下是 get 请求的响应
接受编码:“gzip、deflate、br”
接受语言:“en-US,en;q=0.9”
授权类型:null
来源:“https://schedulemeetingtest.riverstonegroup.com”
校长姓名:“未知”
远程地址:“192.168.93.140”
远程用户名:空
Sec-Fetch-Mode: "cors"
Sec-Fetch-Site: "同源"
服务器路径:“/用户/logMeIn”
接受:“应用程序/json,文本/纯文本,/”
连接:“保持事件状态”
内容长度:“0”
内容类型:“应用程序/x-www-form-urlencoded”
主办方:“schedulemeetingtest.riverstonegroup.com”
推荐人:“https://schedulemeetingtest.riverstonegroup.com/”
用户代理:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,如 Gecko)Chrome/76.0.3809.132 Safari/537.36"
我希望看到的是 RemoteUserName 显示用户不为空
最佳答案
我想出了我的问题
在目录中
目录“/var/www/schedulemeetingtestcom/html”
我把它改成了
位置/
关于apache - 我如何将经过身份验证的用户从 apache kerberos 传递到 tomcat GET 请求,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57891947/