我已经搜索了如何为Java Web应用程序提供基于活动目录/ LDAP的登录名。在这个论坛上也差不多。 100张以上的票,我听不懂,或者没有像我一样的目标。我尝试了几种配置。
使用以下代码,我得到了最好的结果,但是仍然不能完全正常工作。
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
@SuppressWarnings("restriction")
public class LdapAuth
{
private final static String ldapURI = "ldap://XXX.XXX.XXX.X:389"; //LDAP Server IP
private final static String contextFactory = "com.sun.jndi.ldap.LdapCtxFactory";
private static String[] requiredAttributes = {"cn", "givenName", "sn", "displayName", "userPrincipalName",
"sAMAccountName", "objectSid", "userAccountControl"};
private static String[] ADSearchPaths =
{
"CN=Users"
};
public static void authenticateUserAndGetInfo(final String user, final String password) throws Exception
{
try
{
final ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
final String fullPath = classLoader.getResource("/META-INF/krb5.conf").getPath();
System.out.println(fullPath);
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("sun.security.spnego.debug", "true");
System.setProperty("java.security.krb5.conf", fullPath);
System.setProperty("sun.security.krb5.principal", user);
System.setProperty("sun.security.krb5.PrincipalName", user + "@MY.DOMAIN");
System.setProperty("sun.security.krb5.Credentials", password);
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
final Hashtable<String, String> env = new Hashtable<>();
env.put(Context.INITIAL_CONTEXT_FACTORY, LdapAuth.contextFactory);
env.put(Context.REFERRAL, "ignore");
env.put(Context.PROVIDER_URL, LdapAuth.ldapURI);
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
env.put(Context.SECURITY_PRINCIPAL, user);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put(Context.REFERRAL, "ignore");
env.put(Context.AUTHORITATIVE, "false");
final DirContext ctx = new InitialDirContext(env);
String filter = "(sAMAccountName=" + user + ")"; // default for search filter username
if(user.contains("@")) // if user name is a email then
{
// String parts[] = user.split("\\@");
// use different filter for email
filter = "(userPrincipalName=" + user + ")";
}
final SearchControls ctrl = new SearchControls();
ctrl.setSearchScope(SearchControls.SUBTREE_SCOPE);
ctrl.setReturningAttributes(LdapAuth.requiredAttributes);
NamingEnumeration userInfo = null;
Integer i = 0;
do
{
userInfo = ctx.search(LdapAuth.ADSearchPaths[i], filter, ctrl);
i++;
}
while(!userInfo.hasMore() && i < LdapAuth.ADSearchPaths.length);
if(userInfo.hasMore())
{
final SearchResult UserDetails = (SearchResult)userInfo.next();
final Attributes userAttr = UserDetails.getAttributes();
System.out.println("adEmail = " + userAttr.get("userPrincipalName").get(0).toString());
System.out.println("adFirstName = " + userAttr.get("givenName").get(0).toString());
System.out.println("adLastName = " + userAttr.get("sn").get(0).toString());
System.out.println("name = " + userAttr.get("cn").get(0).toString());
System.out.println("AdFullName = " + userAttr.get("cn").get(0).toString());
}
userInfo.close();
}
catch(final javax.naming.AuthenticationException e)
{
e.printStackTrace();
}
}
}
作为AD控制器,我使用synology AD程序包。我尝试了简单的身份验证,但这没有用。
我有一个错误:
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - BindSimple: Transport encryption required.]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
...
附加信息。通过客户端控制台上的klist,我为用户获得了两张票。而且我能够通过AD控制器上的ssh从客户端控制台成功登录
更改和设置System.setProperty ...之后。6行和设置而不是简单:
env.put(Context.SECURITY_AUTHENTICATION, "GSSSAPI");
我得到了以下输出,并在控制台上要求我输入Kerberos用户ID。
>>>KinitOptions cache name is C:\Users\myuser\krb5cc_myuser
>> Acquire default native Credentials
default etypes for default_tkt_enctypes: 23.
>>> Found no TGT's in LSA
Kerberos-Password für myUserId: mySecretPassword
########################################
>>> KdcAccessibility: reset
default etypes for default_tkt_enctypes: 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=XXX.XXX.XXX.X TCP:88, timeout=30000, number of retries =3, #bytes=126
>>> KDCCommunication: kdc=XXX.XXX.XXX.X TCP:88, timeout=30000,Attempt =1, #bytes=126
>>>DEBUG: TCPClient reading 248 bytes
>>> KrbKdcReq send: #bytes read=248
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt = null
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>> KdcAccessibility: remove XXX.XXX.XXX.X:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Sat Mar 07 16:49:32 CET 2020 1583596172000
suSec is 184771
error code is 25
error Message is Additional pre-authentication required
cname is [email protected]
sname is krbrAdmin/[email protected]
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt = null
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
KRBError received: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23.
default etypes for default_tkt_enctypes: 23.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=XXX.XXX.XXX.X TCP:88, timeout=30000, number of retries =3, #bytes=206
>>> KDCCommunication: kdc=XXX.XXX.XXX.X TCP:88, timeout=30000,Attempt =1, #bytes=206
>>>DEBUG: TCPClient reading 1186 bytes
>>> KrbKdcReq send: #bytes read=1186
>>> KdcAccessibility: remove XXX.XXX.XXX.X:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply hri4wa1
Found ticket for [email protected] to go to krbrAdmin/[email protected] expiring on Sun Mar 08 02:49:32 CET 2020
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=XXX.XXX.XXX.X TCP:88, timeout=30000, number of retries =3, #bytes=1225
>>> KDCCommunication: kdc=XXX.XXX.XXX.X TCP:88, timeout=30000,Attempt =1, #bytes=1225
>>>DEBUG: TCPClient reading 107 bytes
>>> KrbKdcReq send: #bytes read=107
>>> KdcAccessibility: remove XXX.XXX.XXX.X:88
>>> KDCRep: init() encoding tag is 126 req type is 13
此输出后,出现以下错误:
java.lang.IllegalArgumentException: Empty nameStrings not allowed
at sun.security.krb5.PrincipalName.validateNameStrings(Unknown Source)
我试图弄清楚如何防止这种情况:也没有成功同时设置
System.setProperty("sun.security.krb5.PrincipalName", user + "@MY.DOMAIN");
仍然没有用。
还有其他信息,我的服务器支持:
{{supportedsaslmechanisms = supportedSASLMechanisms:GSS-SPNEGO,GSSAPI,NTLM}
我认为要使其运行有多个问题。我还不确定的是,是否需要以任何方式配置我的tomcat?
我已经设法通过oauth / azure广告解决了它。它不是LDAP-但是仍然很有趣。看看:https://github.com/xware-gmbh/SeicentoBilling