Optional kerberos authentication?

前端未结

关注

 3  1514

醉梦人生 2021-01-12 21:39

Is it possible to do optional kerberos authentication?

What I want is: if the client (browser) is not on the domain it is redirected to a username/password web login

3条回答

悲&欢浪女 (楼主)

2021-01-12 22:23

If you're need redirect to login page after server receives an unauthenticated request (like Elias Mårtenson said), you need configure spring security like this:

springSecurity.xml

krb5.conf

[libdefaults]
    default_realm = DOMAIN.LOCAL
    default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    permitted_enctypes   = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

[realms]
    DOMAIN.LOCAL  = {
        kdc = serverAD.domain.local 
        default_domain = DOMAIN.LOCAL
}

[domain_realm]
     .DOMAIN.LOCAL = DOMAIN.LOCAL

HTTP/serverName.domain.local - service Principal name
http-server.keytab - generated keytab file ( see MIKE WIESNER blog or Lior Chaga experience)
Be careful with keyTabLocation property, it's not a path to .keytab file, it's a URL to .keytab file, so use file:/ to locate
krbConfLocation - path to kerberos configuration file krb5.conf on your system
customUserDetailsService - your custom detailService
don't forgot set properties debug to false in production

0 讨论(0)

查看其它3个回答