带Linux客户端的401 SPNEGO SSO

2022-04-19 00:00:00 kerberos linux spring java spnego

我无法在Spnego下的Spring Security Web应用程序上将我的Ubuntu VM配置为单点登录。我做错了什么吗?还是我错过了什么?

我已经在Windows 7虚拟机上进行了SSO,所以我相信它是特定于Linux的。

下面详细介绍了我的配置。


基础设施

我有四台计算机,它们在两个不同的硬件上运行:

  1. WIN-SRV2008.company.local:运行Windows Server 2008的VM KDC(硬件A)
  2. TOMCAT.company.local:运行Tomcat 7Web应用程序(硬件A)
  3. W7-CLIENT.company.local:运行SSO的VM Windows 7客户端(硬件B)
  4. U-CLIENT.company.local:SSO无法工作的VM Ubuntu 17.10.1客户端(硬件B)

SPN

我的SPN、krb5.inilogin.conf基于this thread's description。


Spnego

我基本上遵循Spring Security Kerberos - Reference Documentation,只是去掉表单登录,结果是:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${kerberos.service-principal}")
    private String servicePrincipal;

    @Value("${kerberos.keytab-location}")
    private String keytabLocation;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        AffirmativeBased affirmativeBased = new AffirmativeBased(Arrays.asList(new RoleVoter(),new WebExpressionVoter()));
        http
            .authorizeRequests().accessDecisionManager(affirmativeBased)
            .anyRequest().authenticated()
            .and()
        .httpBasic()
            .authenticationEntryPoint(entryPoint())
            .and()
        .logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .and()
        .addFilterBefore(
                    spnegoAuthenticationProcessingFilter(authenticationManagerBean()),
                    BasicAuthenticationFilter.class)
        .sessionManagement()
        .invalidSessionUrl("/login")
        .maximumSessions(1)
        .maxSessionsPreventsLogin(true)
        .sessionRegistry(sessionRegistry());
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .authenticationProvider(kerberosAuthenticationProvider())
            .authenticationProvider(kerberosServiceAuthenticationProvider());
    }

    @Bean
    public SpnegoEntryPoint entryPoint() {
        return new SpnegoEntryPoint();
    }

    @Bean
    public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
        LoginKerberosAuthentication provider = new LoginKerberosAuthentication();
        SunJaasKerberosClient client = new SunJaasKerberosClient();
        client.setDebug(true);
        provider.setKerberosClient(client);
        provider.setUserDetailsService(usuarioDetailsService());
        return provider;
    }

    @Bean
    public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
        AuthenticationManager authenticationManager) {
        SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
        filter.setAuthenticationManager(authenticationManager);
        return filter;
    }

    @Bean
    public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
        KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
        provider.setTicketValidator(sunJaasKerberosTicketValidator());
        provider.setUserDetailsService(usuarioDetailsService());
        return provider;
    }

    @Bean
    public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
        SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
        ticketValidator.setServicePrincipal(servicePrincipal);
        ticketValidator.setKeyTabLocation(new FileSystemResource(keytabLocation));
        ticketValidator.setDebug(true);
        return ticketValidator;
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public UsuarioDetailsService usuarioDetailsService() {
        return new UsuarioDetailsService();
    }

Ubuntu客户端

要加入域,我执行了以下步骤:

sudo apt-get install realmd krb5-user software-properties-common python-software-properties packagekit

sudo realm join COMPANY.local -U 'administrator@COMPANY.LOCAL' -v

直到我使用以下命令生成Kerberos票证:

kinit my_ubuntu_user@COMPANY.local

我实际使用klist检查了缓存,结果是:

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: my_ubuntu_user@COMPANY.local

Valid starting        Expires                Service principal
30/10/2018 17:25:47   31/10/2018 03:25:47    krbtgt/COMPANY.local@COMPANY.local
            renew until 31/10/2018 17:25:43

最后,我使用:

成功进行了身份验证
sudo su my_ubuntu_user@COMPANY.local

SSO-问题

当我尝试使用Firefox(使用受信任站点配置)访问我的应用程序主页时,就像我在Windows 7客户端上所做的那样,我只得到the 401 Negotiate header,并且不发送响应令牌。 这意味着,当我向SpnegoEntryPoint构造函数输入实际的url时,我会被重定向到此回退。


提前谢谢您


解决方案

多亏了Samson的评论,我才能让它工作。

我确实通过执行sudo su my_ubuntu_user@COMPANY.local切换到空缓存,这使我的应用程序登录响应401。

相关文章