我有一个服务到服务模型,其中有一个用于 Kerberos 身份验证的 key 表。
在此模型中,我定义了登录配置,如下所示:-
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
public class GSSIbmLoginConfiguration extends Configuration {
private AppConfigurationEntry configEntry;
public GSSIbmLoginConfiguration(String principal,
String credentialCache,
String keytab,
KerberosCredentialUsage usage) {
Map<String, String> params = new HashMap<String, String>();
params.put("credsType", "both");
params.put("renewable", Boolean.TRUE.toString());
params.put("principal", principal);
if (credentialCache != null) {
params.put("useCcache", credentialCache);
}
if (keytab != null) {
params.put("useKeytab", keytab);
}
configEntry = new AppConfigurationEntry(
"com.ibm.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, params);
}
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
return new AppConfigurationEntry[] {
configEntry
};
}
此登录配置充当 jaas.conf 的替代品
现在我正在尝试 LoginContext 的登录方法,该方法有效。然后我从中获取主题。
现在,我使用这个主题执行一项特权操作。
private static final class SubjectAction implements PrivilegedExceptionAction<GSSCredential> {
private final int credentialType;
private final int credentialLifetime;
private SubjectAction(int credType, int lifetime) {
credentialType = credType;
credentialLifetime = lifetime;
}
public GSSCredential run() throws GSSException {
GSSManager gssManager = GSSManager.getInstance()
return gssManager.createCredential(null, credentialLifetime, KRB5_MECH_ID, GSSCredential.INITIATE_AND_ACCEPT);
}
}
这失败了。相关日志(我在设置日志系统属性后挖掘出的):-
[JGSS_DBG_CRED] localhost-startStop-1 Creating mech cred for null, mech 1.2.840.113554.1.2.2, usage initiate and accept
[JGSS_DBG_PROV] localhost-startStop-1 Provider Entry: provider: IBMJGSSProvider, mechanism: 1.3.6.1.5.5.2 get Factory for mech: 1.2.840.113554.1.2.2 GSSCaller:
[JGSS_DBG_PROV] localhost-startStop-1 Provider Entry: provider: IBMJGSSProvider, mechanism: 1.2.840.113554.1.2.2 get Factory for mech: 1.2.840.113554.1.2.2 GSSCaller:
[JGSS_DBG_PROV] localhost-startStop-1 Created new (empty) factory list (size=1) for provider IBMJGSSProvider version 7.0
[JGSS_DBG_PROV] localhost-startStop-1 Loading factory
[JGSS_DBG_PROV] localhost-startStop-1 Factory class name for provider IBMJGSSProvider version 7.0 is com.ibm.security.jgss.mech.krb5.Krb5MechFactory
[JGSS_DBG_PROV] localhost-startStop-1 Prior to load
[JGSS_DBG_PROV] localhost-startStop-1 Done to load
[JGSS_DBG_PROV] localhost-startStop-1 Loaded factory for provider IBMJGSSProvider version 7.0
[JGSS_DBG_PROV] localhost-startStop-1 Loaded factory ok
[JGSS_DBG_PROV] localhost-startStop-1 getFactory: index = 1 found factory caller = com.ibm.security.jgss.GSSCaller@e7d4b6d7
[JGSS_DBG_CRED] localhost-startStop-1 usage: initiate and subject
[JGSS_DBG_CRED] localhost-startStop-1 Obtaining creds from Krb5Util.ServiceCreds for default service
[JGSS_DBG_CRED] localhost-startStop-1 Found key for isp/ISPNode1/<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="460f151602292b272f28060f0800070d1404680f0800070203106805090b" rel="noreferrer noopener nofollow">[email protected]</a>(1)
[JGSS_DBG_CRED] localhost-startStop-1 Found key for isp/ISPNode1/<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1f564c4f5b70727e76715f5651595e544d5d315651595e5b5a49315c5052" rel="noreferrer noopener nofollow">[email protected]</a>(23)
[JGSS_DBG_CRED] localhost-startStop-1 Found key for isp/ISPNode1/<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="9fd6cccfdbf0f2fef6f1dfd6d1d9ded4cdddb1d6d1d9dedbdac9b1dcd0d2" rel="noreferrer noopener nofollow">[email protected]</a>(3)
[JGSS_DBG_CRED] localhost-startStop-1 Found key for isp/ISPNode1/<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="ade4fefde9c2c0ccc4c3ede4e3ebece6ffef83e4e3ebece9e8fb83eee2e0" rel="noreferrer noopener nofollow">[email protected]</a>(17)
[JGSS_DBG_CRED] localhost-startStop-1 acquiring creds for isp/ISPNode1/<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="48011b180c27252921260801060e09031a0a6601060e090c0d1e660b0705" rel="noreferrer noopener nofollow">[email protected]</a>
现在真正令人困惑的是:-
[JGSS_DBG_CRED] localhost-startStop-1 Creating mech cred for null, mech 1.2.840.113554.1.2.2, usage initiate and accept
and then:
[JGSS_DBG_PROV] localhost-startStop-1 getFactory: index = 1 found factory caller = com.ibm.security.jgss.GSSCaller@e7d4b6d7
[JGSS_DBG_CRED] localhost-startStop-1 usage: initiate and subject
第一部分是 createCredential 本身。然而,第二个似乎是针对某些机制工厂相关的调用(在本例中为 kerberos)。现在,在启动基于文件的凭据缓存身份验证之后。
[KRB_DBG_CCHE] FileCredentialsCache:localhost-startStop-1: >>>KinitOptions cache name is /export/home/ispqa95/krb5cc_ispqa95
[KRB_DBG_CCHE] FileCredentialsCache:localhost-startStop-1: >>> FileCredentialsCache default name is: /export/home/ispqa95/krb5cc_ispqa95
[KRB_DBG_CCHE] FileCredentialsCache:localhost-startStop-1: >>>FileCredentialsCache: read ccache version 0x503
[KRB_DBG_KDC] KrbDataInputStream:localhost-startStop-1: >>>KrbDataInputStream: Bytes read: 0000: 49 4e 46 41 4b 52 42 2e 49 4e 46 41 44 45 56 2e INFAKRB.INFADEV.
0010:43 4f 4d COM
[KRB_DBG_KDC] KrbDataInputStream:localhost-startStop-1: >>> CCacheInputStream: equiv string: INFAKRB.INFADEV.COM
[KRB_DBG_CCHE] CCacheInputStream:localhost-startStop-1: >>> readPrincipal: read realm INFAKRB.INFADEV.COM
[KRB_DBG_KDC] KrbDataInputStream:localhost-startStop-1: >>>KrbDataInputStream: Bytes read: 0000: 6e 61 67 61 72 6c 61 nagarla
这意味着机制工厂在某种程度上得到了错误的值。
我尝试反编译IBM jar(ibmjgssprovider.jar),但里面的类名似乎是乱码(被a、b、xy等替换)。
这最终导致:- java.io.IOException:主要主体不匹配
由于专有,我很难弄清楚 IBM 的行为。 OpenJDK 没有多大帮助。
有人可以帮忙吗?我的产品设置的某些系统属性是否会导致这种行为?
我正在尝试在执行时检查所有可能的系统属性。如果需要其他内容,请告诉我。
还有人可以指出一些 IBM JDK 安全论坛吗?我也想在那里发布这个问题。
最佳答案
好吧,我想出了如何解决这个问题:-
系统属性:
-Djavax.security.auth.useSubjectCredsOnly=true
必须在启动期间设置,否则 IBM 使用的凭据是默认凭据(在 AIX 中,它会尝试从基于文件的凭据缓存中获取该凭据)
关于kerberos - IBM Jdk 问题 Kerberos : Cannot authenticate keytab with credsType=both in JAAS,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/19707616/