问题
We have a server side application that can talk to external services. It depends on our configuration whether we authenticate against those services with the credentials of the user who called us, with pre-configured credentials, or not at all.
The external services may use HTTP Negotiate authentication. For our custom HTTP/WebDAV requests, we use Apache HttpClient, where we have the credentials handling under our own control. But for JAX-WS calls (or plain HTTP URLs called by 3rd party libs), Java's HttpUrlConnection handles the authentication itself. This is where things get odd.
Java supposedly always tries to use the Kerberos credentials from the current subject for Negotiate. That's fine, and works. It can also use the ticket cache (i.e. the kinit session or the system session, if accessible), BUT if I read the documentation (*) correctly, it should do so only on two conditions:
*) https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part6.html
- javax.security.auth.useSubjectCredentialsOnly is explicitly set to false
- A custom JAAS config has been provided which explicitly sets useTicketCache to true
This is not what happens. In our reproducible tests, it defaults to always using the system credentials if the subject is empty. Worse, explicitly settings useSubjectCredentialsOnly to true (which should be the default) doesn't change this behaviour. The only workaround we've found so far is explicitly providing a custom JAAS config which sets useTicketCache to false (which again should be the default).
Debugging into Krb5LoginModule shows that, unless we configure this workaround, the login module does in fact get called with useTicketCache=true.
We can reproduce this on all our Windows systems. It seems Linux might be behaving fine, but I haven't been able to verify this in detail (due to domain issues).
Am I reading the documentation wrong? Or is there a bug in the Java implementation? Or are our Windows systems wonky?
It seems very much not ideal that we should have to tell our customers to always configure a workaround to prevent Java from secretly calling remote services with the credentials of the service user instead of the user who sent the request to our service.
回答1:
At least in the Java 8 u 131 code on Linux I have just been debugging, the function sun.security.jgss.GSSUtil.useSubjectCredsOnly(GSSCaller caller) is hard-coded to return false if the caller is an instance of HttpCaller.
For other types of caller the javax.security.auth.useSubjectCredsOnly property is checked.
来源:https://stackoverflow.com/questions/43660265/java-automatically-uses-kerberos-ticketcache-when-it-shouldnt