协商-工具包‘安全’测试无效(SPNEGO认证失败)
协商-工具包‘安全’测试无效(SPNEGO认证失败)
提问于 2013-02-08 22:39:32
几天前,我在JBoss PicketBox论坛上发布了同样的问题,但还没有收到任何回复(https://community.jboss.org/thread/220959)。所以我想也许我会尝试StackOverflow来吸引更多的观众。
几个星期以来,我一直在努力让jboss工具包发挥作用,我想我已经尝试过其他人遇到的每一件事。现在,我陷入了无法使servlet的“安全”版本工作的地步。“安全域测试”和“基本嵌套”测试工作良好,但是JBoss在试图打开安全链接时继续抛出“LoginException‘s”,我非常肯定它与一些AD/Kerberos设置有关,但我没有取得任何进展。
11:49:43,514 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required.
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]
at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
...中有人遇到过同样的问题,或者有人对问题可能在哪里有任何建议?很抱歉,下面是设置的所有细节,以及我是如何配置到目前为止的,试图提供尽可能多的细节。
下面是我们的设置:
- Windows2008AD (QAAD)
- 域名: qaad.dev.company.com
- 领域:质量(QUALITY.COMPANY.COM)
- CentOS 6.2运行JBoss作为7.1.1.Final (BARDEV1)
- 部署:jboss-协商-工具包-2.2.2
- 域名: bardev1.dev.company.com
- 测试客户端是连接到质量域的WinXP和Win7。
BARDEV1目前已加入到质量域(是必要的,还是应该工作而不加入域?)。
JBoss SPNEGO配置是:
<security-domain name="qaad_kerberos" cache-type="default">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM"/>
<module-option name="keyTab" value="/opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config" value="false"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="qaad_kerberos"/>
</login-module>
</authentication>
</security-domain>/etc/krb5.conf设置为:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = QUALITY.COMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
[realms]
QUALITY.COMPANY.COM = {
kdc = qaad.dev.company.com
admin_server = qaad.dev.company.com
default_domain = quality.company.com
}
[domain_realm]
.quality.company.com = QUALITY.COMPANY.COM
quality.company.com = QUALITY.COMPANY.COMQAAD框中有“计算机”帐户“bardev1”。此帐户已将委托设置为“信任此计算机以删除任何服务(仅限Kerberos)”。在QAAD框上生成keytab,并使用以下命令设置SPN:
- setspn -S -S bardev1
- ktpass /out bardev1_qaad_rc4.keytab /princ /princ /mapuser quality\管理员-crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL /pass * /kvno 0
- (Note: had to set /kvno 0 because otherwise I got: KrbException: Specified version of key is not available (44))
- setspn -L bardev1
- output: Registered ServicePrincipalNames for CN=bardev1,CN=Computers,DC=quality,DC=company,DC=com: HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM HOST/bardev1.dev.company.com HOST/BARDEV1
- setspn -L管理员
- 输出:注册ServicePrincipalNames for CN=Administrator,CN=Users,DC=quality,DC=company,DC=com: HTTP/bardev1.dev.company.com
使用“管理员”帐户进行初始测试,这样我就不必处理新的用户帐户了。该帐户已设置为‘信任此计算机以删除任何服务(仅限kerberos )’,并且没有其他帐户选项设置,如'use kerberos DES encryption.‘,'account支持AES 128/256.’或者“不需要kerberos preauth”。需要他们中的任何一个吗?
在客户端机器上,为了让浏览器使用登录的用户凭据,我必须将URL设置为:
- http:// bardev1:8080/jboss-negotiation-toolkit-2.2.2.Final
如果我把它说成:
- http:// bardev1.dev.company.com:8080/jboss-negotiation-toolkit-2.2.2.Final
然后我得到用户名和密码弹出。
我确实尝试过使用'HTTP/bardev1@QUALITY.COMPANY.COM‘运行setspn和ktpass,结果是相同的,即基本测试和域测试工作,但没有安全性。
来自“SecurityDomainTest”的输出:
JBoss日志:
12:01:33,229 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
12:01:33,238 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal's key obtained from the keytab
12:01:33,241 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange
12:01:33,259 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
12:01:33,269 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:01:33,273 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:01:33,276 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server's keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
12:01:33,283 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:01:33,285 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:01:33,285 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:01:33,286 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule] added Krb5Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject
12:01:33,288 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded
12:01:33,290 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:01:33,295 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: Entering logout
12:01:33,296 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: logged out Subject浏览器:
Negotiation Toolkit
Security Domain Test
Testing security-domain 'qaad_kerberos'
Authenticated
Subject:
Principal: HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
Private Credential: Ticket (hex) =
0000: 61 82 04 A6 30 82 04 A2 A0 03 02 01 05 A1 16 1B a...0...........
0010: 14 51 55 41 4C 49 54 59 2E 53 59 4D 50 48 4F 4E .QUALITY.COMPANY
0020: 4F 2E 43 4F 4D A2 29 30 27 A0 03 02 01 02 A1 20 O.COM.)0'......
0030: 30 1E 1B 06 6B 72 62 74 67 74 1B 14 51 55 41 4C 0...krbtgt..QUAL
...
04A0: 1C 85 74 1A 9B EF B9 EE D2 A8 ..t.......
Client Principal = HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
Server Principal = krbtgt/QUALITY.COMPANY.COM@QUALITY.COMPANY.COM
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 67 2B 5A 9B FE 97 00 2B 68 0B D2 0F 35 FA D1 CB g+Z....+h...5...
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Tue Feb 05 12:01:33 CST 2013
Start Time = Tue Feb 05 12:01:33 CST 2013
End Time = Tue Feb 05 22:01:33 CST 2013
Renew Till = null
Client Addresses Null
Private Credential: Kerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.“基本协商”的输出:
JBoss日志:
12:48:01,226 INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] (http-bardev1.dev.company.com-10.10.5.232-8080-1) No Authorization Header, sending 401
12:48:01,243 INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Authorization header received - decoding token.浏览器:
Negotiation Toolkit
Basic Negotiation
WWW-Authenticate - Negotiate YIILwgYGKwYBBQUCoIILtjCCC7KgJDAiBgkqhkiC9xIBAgIGCSq ... i4=
NegTokenInit
Message Oid - SPNEGO
Mech Types - {Kerberos V5 Legacy} {Kerberos V5} {NTLM}
Req Flags -
Mech Token -YIILgAYJKoZIhvcSAQICAQBuggtvMIILa6A ... Gi4=
Mech List Mic -来自“安全”的输出:
JBoss日志:
12:51:52,877 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
12:51:52,894 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal's key obtained from the keytab
12:51:52,895 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange
12:51:52,929 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
12:51:52,933 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:52,937 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,939 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server's keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
12:51:52,944 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:52,945 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,946 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,947 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule] added Krb5Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject
12:51:52,949 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded
12:51:52,950 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,950 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: Entering logout
12:51:52,952 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: logged out Subject
12:51:52,953 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required.
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]
at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]
12:51:52,985 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
12:51:52,989 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal's key obtained from the keytab
12:51:52,990 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange
12:51:53,015 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
12:51:53,058 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:53,060 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,061 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server's keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
12:51:53,063 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:53,065 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,065 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,066 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule] added Krb5Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject
12:51:53,068 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded
12:51:53,068 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,081 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: Entering logout
12:51:53,082 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: logged out Subject浏览器:
HTTP Status 403 - Access to the requested resource has been denied执行的附加测试/设置
我还尝试在QAAD服务器本身上运行jboss实例,更新setspn和ktpass命令,但结果相同,LoginException的“安全”测试失败。
我还尝试使用不同的AD服务器(COLLAB,运行在Windows2003AD服务器上),但结果相同。
因此,我很确定这是一些安装/配置/环境问题,但我似乎无法理解到底。
回答 1
Stack Overflow用户
发布于 2013-12-05 12:58:56
我知道已经很晚了。
我遇到了同样的问题,并发现我们需要修改web.xml的jboss-协商-工具包一点点。
修改web.xml的安全约束和登录配置如下所示:
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
<url-pattern>/Secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>然后修改standalone.xml中的jboss配置如下所示
<security-domain name="qaad_kerberos" cache-type="default">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM"/>
<module-option name="keyTab" value="/opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config" value="false"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="qaad_kerberos"/>
</login-module>
<login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="requisite">
<module-option name="bindAuthentication" value="GSSAPI"/>
<module-option name="jaasSecurityDomain" value="qaad_kerberos"/>
<module-option name="java.naming.provider.url" value="ldap://your kdc's hostname:389"/>
<module-option name="baseCtxDN" value="DC=MYDOMAIN,DC=COM"/>
<module-option name="baseFilter" value="(userPrincipalName={0})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="allowEmptyPassword" value="false"/>
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/14782508
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号