开发者

Why spring security kerberos extension 1.0.0.M2 is not working for jdk 1.6.0_22 and above

The spring security kerberos extension 1.0.0.M2 is working for jdk1.6.0_18 and below, but failed in new jdk 1.6.0_22 and 1.6.0_23 with the following exceptions:

Negotiate Header was invalid: Negotiate YIIHpQYGKwYBBQUCoIIHmTCCB5WgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCB2sEggdnYIIHYwYJKoZIhvcSAQICAQBuggdSMIIHTqADAgEFoQMCAQ6iBwMFACAAAACjggZxYYIGbTCCBmmgAwIBBaEYGxZXQU0uV0VTVEVSTkFTU0VULkxPQ0FMojMwMaADAgECoSowKBsESFRUUBsgZGV2d2FyY2gxLndhbS53ZXN0ZXJuYXNzZXQubG9jYWyjggYRMIIGDaADAgEXoQMCAQ6iggX/BIIF+54nsIgnyOHTnF2nD3XHzz51k/sqBht6lMFESs+CDL2SNCiZOD0Iqee03v3aUyzDncMTkXRRw/F2HOHCv1XPoKFhKZwJDTnKkbm7DDSJFok7rsekQqCntt+DObI6umiZU7XDKP4zyMVadrqQ6psJyUfpaGpU9uRHB79voBJaKGIjeDjSU2z7ybfvoxfPckFO905tM5HXjmM2sm5GAG0gY7/qHlCau1ayH0H/Tfly0EOS1B0D6ryue+Ne6VEt7OUOk89tSQM7F3qUqOsKzwuokBWjERX+ytcnc44uVslncQvn4peWPohePWZL7fpsm4w+kdO40oYeEGhZhbpGLCeII7U51y+NxbiCvTiIuc5nnkhESNQtbrmcUmpJIsbxrjr0cdyFua8oDgEQ6LYuRMY7FHKFDIWvTSaiDIoTBbxkh9I9jHatHhHWdi4WlLo1pJe9Ge4szzDAe2uuHrIgTLjuJx8ryRzq8UfFopJjCehRvBO2CQTyNpyxw6fUZGOQht/QS57/4oGGNWwXTUjsIBRJKNe3x4bsasUgvqhepme40zpAsVXYTv6usiRwAGyVmWTsdH3KZ/syTVghVhcsV1ht5bujwawdXlmR16ZpMPkTXv1hBTvmBwxqsvpGOX4+sG5HT5w/mlpKANUnkeE84m0nOvGp+uMbdhpZ9ya3pPg3BKP+lBfLXHNf0zka77uDLw9K0ZzMsd6t62PsatvrZXCdNrQx8XWKLJ4dHPbxdND7UPtQc2ARiGsak9grd8PG378UkQLlHEEVjh97J+iYxLfNIIfHUbuFxQFqIYXheto1OOrDAY1igsRYP9duoo6ZWiCQnKXxSbcnApIQCiq6r2jxKrzNla6l2GKs0cNB2qqV0XlQNTtVOTG/52EuyNadqpXv39WfhZ64mt4PWQ8bVIL/DR2Jp+bmr+1hCaThLy9l/+52qNC5zj9WAS0+NLRd31cIC3hRTyO2JMSvacfu8v7uV9HbK56R2q38rLg+hu7odPSdkQjEZ9hFWD8Ud3cPpKCDNQRlTnoFTajLlayqWWzZQKjU5GPySToJp2HZW1Ra7HgcM5/6qhoJVVOSE+KpOitGYDYrJ8G6tAk0kOzN0ei/jmkAl5eZNV6hF85T6l7c/kEwu3bJ32r/IAMBK2sBO4Z6SK4SOrSsQXoNBJHKDuY1r34AEHIpazt9hl2U1WyEJDFu9jMMU9q/DEkIGD6FzO0yAYhnnnQFCWJJpjmqqGojiIQwz2W8U95FWMbWdQlCdGnXUIQ1Zdd6xVhrfiFsvD4z92RvyZACyopSVPtIVaBGbRC0/KrxZE9HHOPXjv7WZmBwjKmhgryONs1wge2jNn/saOlExhMT4OjKvjYbfyrdR0WRgTZHvluAxaq5XBBE2QufoFWlibidbZMEdMcL7TDf48ZcpREgtGLJBxkaAhzvbX39iKMmDPCANMSUXN6p0wdsmRNNIno7ghzIoYZ5dh5601BYbYtx9l1rU3LQL46/OVqPIET8LIPMFjgGMlNhME/pAUErEwnvAjIhaH9SyAJksQg6FmU64k8W0EomGzjp6vjOfz+WX1s8pZ4ZKYGXRwFWjq9nWP9BwePthhUQhDLzhGNEeScuG8za2gGeNvZgAqWJ1JiPr4cuwrX4iBOiJsYps0XjLLoi/lAtCBmoTk3qPArtXNqUHRI3ZZtA0LfGhnY+la55qPxm6cWY+ioce3rHraxgr0KLlzMEFRYWb5AMqwTIXL59xL/9O5UyCwc5n1Fbd+OGuOnapK7KWSq6cxJU7ObutxGmQ6aRIJD3RNxGiYnBNkoos546QlubmHno507ZVQ9posYrkJoeQXDgSzuIEA2lD81LfRJfdPdARgFIF5yXWmN0NfCwCrw3X1QloX/Ktzo+9lbHRGhaIo9gS17/Ex1+DjKbFWFwNkRRpONV7jbnJ4ZWfuP3TuKzzX0E12jxMSXvcXPA5mIn0EI1t9f5Bg7L6Hfc0KmxWrsnHRgz9zZ1/i8eDmBMVxJlQSPR7WG2EsUAUB2uP8ADC/hR2j3FedcGQBgkhHOEMNSkgcMwgcCgAwIBF6KBuASBtczMFtvZHJDYRG8gUL+HJazLtrNiqjMu/I5CruvOy03uM5l2EOuE3c21lW04O9QHWdC7MCxdOnqRoDt3W+0kD3mBIdjjA0YGVPA1qPD1v8j9UMoAr2fuUYkO5qFsjFZ05u0w8rfi5/jq8FwB2idooBq9hYLGISbIstctr2Gt4W5tdfrCrxdRH2z48y1oqKFwmzQ2N57LJcAYY0cjxb/uRKEv+fk3TlvDF92Ci3JJzmzC+lK8uo4=
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull  at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)
 at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
 at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:120)
 at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
 at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
 at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:188)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
 at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
 at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)开发者_C百科
 at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
 at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
 at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
 at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
 at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:861)
 at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
 at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1584)
 at java.lang.Thread.run(Thread.java:662)
Caused by: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))  at java.security.AccessController.doPrivileged(Native Method)  at javax.security.auth.Subject.doAs(Subject.java:396)
 at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
 ... 25 more
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))  at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
 at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
 at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
 at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
 at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
 at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
 at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
 at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
 at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
 ... 28 more
Caused by: KrbException: Specified version of key is not available (44)  at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:527)
 at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:260)
 at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
 at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
 at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
 ... 36 more
SecurityContextHolder now cleared, as request processing completed 


This issue is resolved by setting the kvno to be zero in the keytab file.


So the problem seemed to be that the kvno did not match (it was 5 with v1.6.18 but 13 in v1.6.22).

If you generated the keytab with a mechanism that allows you to set the kvno to 0, then the kvno may be ignored (implementation dependent). MIT Kerberos does this and it seems that the JDK also supports.

The kvno is simply used to find the key. So, it's valuable to have the right kvno because it makes things simpler for the system. But it is not a security risk to have it set to 0.

Grant

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜