问题
My HTTPClient Kerberos authentication set up is similar to this one. My login.conf looks like this:
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<principal>
principal=<keytab>;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
This setup has been working for me with jdk8u151, but Oracle released jdk8u161 recently, and it no longer works. Debug looks like this:
Comparing debug logs, jdk8u161 stops at this line:
CCacheInputStream: readFlags()
while jdk8u151 follows that line with
unsupported key type found the default TGT: 18
I added
default_tkt_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
to krb5.conf
, but it doesn't help.
回答1:
Found my own answer:
- Remove all
useTicketCache=true
from login.conf - Add
rc4-hmac
todefault_tkt_enctypes
,default_tgs_enctypes
, andpermitted_enctypes
login.conf now looks like this:
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
and krb5.conf:
[libdefaults]
...
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
...
来源:https://stackoverflow.com/questions/48411107/java-8-update-161-breaks-httpclient-kerberos-authentication