问题
I've run into a problem attempting to authenticate from within my web services. Here is the code that fails.
private InitialDirContext callDirectory(String password,
String usernameWithoutDomain) throws NamingException
{
InitialDirContext ctx;
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, _ldapUrl );
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, usernameWithoutDomain );
env.put(Context.SECURITY_CREDENTIALS, password);
ctx = new InitialDirContext(env);
return ctx;
}
This code works against Active Directory on AIX using IBM's 1.5 JVM, but not on the same machine with the same VM when run inside WebSphere 6.1.
I've tried to control for all variables, and so far it looks like WebSphere is preventing the DIGEST-MD5 LDAP Authentication. Any ideas why?
Here is the stack trace:
javax.naming.AuthenticationNotSupportedException: DIGEST-MD5
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:115)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:229)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2652)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:298)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:190)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:208)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:81)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:679)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:259)
at javax.naming.InitialContext.init(InitialContext.java:235)
at javax.naming.InitialContext.<init>(InitialContext.java:209)
at security.ActiveDirectoryReader.openDirectoryContext(ActiveDirectoryReader.java:80)
回答1:
So that others can benefit from this: modify the file :/opt/IBM/WebSphere/AppServer/java/jre/lib/security/java.security do a search for security.provider and add a line at the bottom of the other providers (if it's not already in there): security.provider.X=com.ibm.security.sasl.IBMSASL (where X is the next number in sequence for the lines above it)
We had this same issue, even opened a PMR with IBM (who still doesn't know how to fix)
The answer actually came from their own link: http://www.ibm.com/developerworks/java/jdk/security/50/secguides/saslDocs/ibm.sasl.provider.guide.html
seems this is supposed to be "on" by default...
来源:https://stackoverflow.com/questions/4209710/authenticationnotsupportedexception-digest-md5-on-websphere