1. 技术文章
  2. Java 8 update 161 breaks HTTPClient Kerberos authentication

Java 8 update 161 breaks HTTPClient Kerberos authentication

穿精又带淫゛_ 提交于 2020-01-05 08:09:13

问题


My HTTPClient Kerberos authentication set up is similar to this one. My login.conf looks like this:

com.sun.security.jgss.login {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  useKeyTab=true
  storeKey=true
  keyTab=<principal>
  principal=<keytab>;
};
com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};

This setup has been working for me with jdk8u151, but Oracle released jdk8u161 recently, and it no longer works. Debug looks like this:

Comparing debug logs, jdk8u161 stops at this line:

CCacheInputStream: readFlags()

while jdk8u151 follows that line with

unsupported key type found the default TGT: 18

I added 

default_tkt_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc

to krb5.conf, but it doesn't help.


回答1:


Found my own answer:

  • Remove all useTicketCache=true from login.conf
  • Add rc4-hmac to default_tkt_enctypes, default_tgs_enctypes, and permitted_enctypes

login.conf now looks like this:

com.sun.security.jgss.login {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};
com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};

and krb5.conf:

[libdefaults]
  ...
  default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  permitted_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  ...


来源:https://stackoverflow.com/questions/48411107/java-8-update-161-breaks-httpclient-kerberos-authentication

标签
java
security
authentication
kerberos
apache-httpclient-4.x
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!