Java 单点登录 : Kerberos authentication against Active Directory

标签 java authentication active-directory single-sign-on kerberos

我仍在尝试为 SSO(在 *nix 上运行)寻找基于 Java 的解决方案,我可以在 JBoss 上使用它来对 Active Directory/域 Controller 进行授权。我最初尝试通过 NTLM 执行此操作,但放弃了,因为 Windows Server >= 2008 不支持它。

因此,我尝试使用 Kerberos 来实现它,但似乎无法找到正确/可行的解决方案。请指出正确的方向,解释如何设置此类配置,如何针对 Active Directory 和/或域 Controller 进行验证,以便:

  1. 查明账户是否有效
  2. 获取用户的组列表

感谢任何帮助!

更新

我正在研究使用 jcifs-ext-0.9.4 和 jcifs-krb5-1.3.12 的解决方案。我按如下所述设置了 web.xml:

<web-app>
  <!-- servlet / servlet-mapping / welcome-file-list skipped -->

 <filter>
 <filter-name>auth</filter-name>
 <filter-class>jcifs.http.AuthenticationFilter</filter-class>

 <init-param>
 <param-name>java.security.auth.login.config</param-name>
 <param-value>/WEB-INF/login.conf</param-value>
 </init-param>

 <init-param>
 <param-name>jcifs.spnego.servicePrincipal</param-name>
 <param-value>HTTP/testconn@mydomain.com</param-value>
 </init-param>

 <init-param>
 <param-name>jcifs.spnego.servicePassword</param-name>
 <param-value>supersecret</param-value>
 </init-param>

 <init-param>
 <param-name>sun.security.krb5.debug</param-name>
 <param-value>true</param-value>
 </init-param>

 <init-param>
 <param-name>java.security.krb5.realm</param-name>
 <param-value>mydomain.com</param-value>
 </init-param>

 <init-param>
 <param-name>java.security.krb5.kdc</param-name>
 <param-value>testdom01.mydomain.com </param-value>
 </init-param>

 <init-param>
 <param-name>jcifs.smb.client.domain</param-name>
 <param-value>TESTDOMAIN</param-value>
 </init-param>

 <init-param>
 <param-name>jcifs.http.enableNegotiate</param-name>
 <param-value>true</param-value>
 </init-param>

 <init-param>
 <param-name>jcifs.http.basicRealm</param-name>
 <param-value>mydomain.com</param-value>
 </init-param>

 <init-param>
 <param-name>jcifs.http.domainController</param-name>
 <param-value>testdom01.mydomain.com</param-value>
 </init-param>

 </filter>
 <filter-mapping>
 <filter-name>auth</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>
</web-app>

如果尝试访问应用程序,这将导致以下堆栈跟踪:

2010-07-22 15:53:10,588 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/google].[default]] Servlet.service() for servlet default threw exception
java.lang.ArrayIndexOutOfBoundsException
        at java.lang.System.arraycopy(Native Method)
        at jcifs.ntlmssp.Type2Message.toByteArray(Type2Message.java:261)
        at jcifs.spnego.Authentication.processNtlm(Authentication.java:265)
        at jcifs.spnego.Authentication.process(Authentication.java:233)
        at jcifs.http.Negotiate.authenticate(Negotiate.java:46)
        at jcifs.http.AuthenticationFilter.doFilter(AuthenticationFilter.java:192)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
        at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
        at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
        at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
        at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
        at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
        at java.lang.Thread.run(Thread.java:619)

感谢任何帮助。

最佳答案

为此,您实际上需要使用 LDAP。幸运的是,Java 对 Kerberos 和 LDAP 都有可靠的支持。详细流程在http://java.sun.com/products/jndi/tutorial/ldap/security/gssapi.html .

步骤概述:

  • 向 Kerberos 进行身份验证
  • 使用 Kerberos 假定用户身份
  • 执行 GSSAPI 绑定(bind)到 Active Directory LDAP 服务器
  • 通过 LDAP 检索组列表

关于Java 单点登录 : Kerberos authentication against Active Directory,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/3118799/

上一篇:java - Postgres 异常 : No results were returned by the query.

下一篇:java:用于不可变函数式数据结构的库

相关文章:

java - doGet() servlet 中带参数的多个 if else 语句

javascript - 如何在 .NET 或 JavaScript 中使用 MS-XCEP 和 MS-WSTEP 从 AD CS 获取证书?

c# - 从 Active Directory 中读取用户授权组

java - 路径中有 Linux JAVA 但权限被拒绝

java - java中如何获取httpPut的响应码

java - Spring 将自定义 bean Autowiring 到它自己的类中

java - 通过 spring security 将密码传递给 dao 对象

javascript - 带有 ui-route 的 angularFireAuth

r - R Shiny:单个应用程序的用户身份验证

powershell - 通过 PowerShell 脚本跟踪 AD 中的更改

©2024 IT工具网  联系我们