使用HTTP客户端的Kerberos连接
我正在使用Kerberos身份validation编写HTTP连接。 我有“HTTP / 1.1 401 Unauthorized”。 你能告诉我应该检查什么吗? 我认为有一些想法,但我没有看到它。
可能我应该用“Negotiate”设置标题“WWW-Authenticate”?
非常感谢您提供任何帮助和想法。
public class ClientKerberosAuthentication { public static void main(String[] args) throws Exception { System.setProperty("java.security.auth.login.config", "login.conf"); System.setProperty("java.security.krb5.conf", "krb5.conf"); System.setProperty("sun.security.krb5.debug", "true"); System.setProperty("javax.security.auth.useSubjectCredsOnly","false"); DefaultHttpClient httpclient = new DefaultHttpClient(); try { NegotiateSchemeFactory nsf = new NegotiateSchemeFactory(); httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf); List authpref = new ArrayList(); authpref.add(AuthPolicy.BASIC); authpref.add(AuthPolicy.SPNEGO); httpclient.getParams().setParameter(AuthPNames.PROXY_AUTH_PREF, authpref); httpclient.getCredentialsProvider().setCredentials( new AuthScope(null, -1, AuthScope.ANY_REALM, AuthPolicy.SPNEGO), new UsernamePasswordCredentials("myuser", "mypass")); System.out.println("----------------------------------------"); HttpUriRequest request = new HttpGet("http://localhost:8084/web-app/webdav/213/_test.docx"); HttpResponse response = httpclient.execute(request); HttpEntity entity = response.getEntity(); System.out.println("----------------------------------------"); System.out.println(response.getStatusLine()); System.out.println("----------------------------------------"); if (entity != null) { System.out.println(EntityUtils.toString(entity)); } System.out.println("----------------------------------------"); // This ensures the connection gets released back to the manager EntityUtils.consume(entity); } finally { httpclient.getConnectionManager().shutdown(); } } }
SPNEGO将无法工作,因为您使用localhost
作为URL主机名。
您的服务器配置为从ActiveDirectory服务帐户上注册的HTTP/
开始的一组SPN(或至少一个)。 您可以通过setspn -l yourServiceAccount
从AD查询它们。
您的URL必须在ActiveDirectory中使用称为SPN的有效服务器主机名,以便Apache Http Client可以协商此服务的TGS并将其发送到您的服务器。
我有同样的问题,只是找到了你的post。 我为它添加了书签,以便在我修复它时发布答案。 我发布了一个链接到我的问题,有人回答了这个问题,所以如果有人通过Google发现这个问题,他们会找到答案:
当URL具有端口时,HttpClient在为AD创建SPN时出现问题。
在这里查看我的问题+答案: HttpClient检查Kerberos安全网页。 NTLM登录无效
这是我在项目中编写的测试客户端。 此客户端依赖于在JDK上启用的所有加密类型,
如果您在日志中看到以下内容,并且您的密钥表以256位默认etypes加密,则为default_tkt_enctypes: 17 16 23 1 3.
然后下载jar http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html需要下载并置于JDK/jre/lib/security
以启用AES256位加密后您应该在default_tkt_enctypes: 18 17 16 23 1 3.
日志默认etypes中看到以下内容default_tkt_enctypes: 18 17 16 23 1 3.
import java.io.IOException; import java.io.InputStream; import java.security.Principal; import java.security.PrivilegedAction; import java.util.Arrays; import java.util.HashMap; import java.util.HashSet; import java.util.Set; import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import javax.security.auth.login.LoginContext; import org.apache.commons.io.IOUtils; import org.apache.http.HttpResponse; import org.apache.http.auth.AuthSchemeProvider; import org.apache.http.auth.AuthScope; import org.apache.http.auth.Credentials; import org.apache.http.client.CookieStore; import org.apache.http.client.HttpClient; import org.apache.http.client.config.AuthSchemes; import org.apache.http.client.config.CookieSpecs; import org.apache.http.client.config.RequestConfig; import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpUriRequest; import org.apache.http.config.Lookup; import org.apache.http.config.RegistryBuilder; import org.apache.http.impl.auth.SPNegoSchemeFactory; import org.apache.http.impl.client.BasicCookieStore; import org.apache.http.impl.client.BasicCredentialsProvider; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.impl.cookie.BasicClientCookie;
实用类
public class KerberosHttpClient { private String principal; private String keyTabLocation; public KerberosHttpClient() {} public KerberosHttpClient(String principal, String keyTabLocation) { super(); this.principal = principal; this.keyTabLocation = keyTabLocation; } public KerberosHttpClient(String principal, String keyTabLocation, String krb5Location) { this(principal, keyTabLocation); System.setProperty("java.security.krb5.conf", krb5Location); } public KerberosHttpClient(String principal, String keyTabLocation, boolean isDebug) { this(principal, keyTabLocation); if (isDebug) { System.setProperty("sun.security.spnego.debug", "true"); System.setProperty("sun.security.krb5.debug", "true"); } } public KerberosHttpClient(String principal, String keyTabLocation, String krb5Location, boolean isDebug) { this(principal, keyTabLocation, isDebug); System.setProperty("java.security.krb5.conf", krb5Location); } private static HttpClient buildSpengoHttpClient() { HttpClientBuilder builder = HttpClientBuilder.create(); Lookup authSchemeRegistry = RegistryBuilder. create(). register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true)).build(); builder.setDefaultAuthSchemeRegistry(authSchemeRegistry); BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider(); credentialsProvider.setCredentials(new AuthScope(null, -1, null), new Credentials() { @Override public Principal getUserPrincipal() { return null; } @Override public String getPassword() { return null; } }); builder.setDefaultCredentialsProvider(credentialsProvider); CloseableHttpClient httpClient = builder.build(); return httpClient; } public HttpResponse callRestUrl(final String url,final String userId) { //keyTabLocation = keyTabLocation.substring("file://".length()); System.out.println(String.format("Calling KerberosHttpClient %s %s %s",this.principal, this.keyTabLocation, url)); Configuration config = new Configuration() { @SuppressWarnings("serial") @Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { return new AppConfigurationEntry[] { new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, new HashMap() { { put("useTicketCache", "false"); put("useKeyTab", "true"); put("keyTab", keyTabLocation); //Krb5 in GSS API needs to be refreshed so it does not throw the error //Specified version of key is not available put("refreshKrb5Config", "true"); put("principal", principal); put("storeKey", "true"); put("doNotPrompt", "true"); put("isInitiator", "true"); put("debug", "true"); } }) }; } }; Set princ = new HashSet (1); princ.add(new KerberosPrincipal(userId)); Subject sub = new Subject(false, princ, new HashSet
- 如何配置HTTPClient以对SOCKS代理进行身份validation?
- 使用Apache commons HttpClient时,如何覆盖请求中的“Host”头
- 如何强制Commons HTTPClient 3.1仅对HTTPS使用TLS 1.2?
- 混淆了在HttpClient中创建cookie的不同方法
- Apache HttpClient 4.1 – 代理设置
- 为什么这个简单的SOAP客户端不工作(org.apache.http)?
- 使用Apache HttpClient如何在请求和响应上设置TIMEOUT
- 使用HttpClient将照片上传到Facebook
- 在不更改代码的情况下,如何强制httpClient通过环境变量或JVM参数使用代理