我正在使用Kerberos身份验证编写HTTP连接。我有“未经授权的HTTP/1.1 401”。您能推荐我应该检查的内容吗?我认为有一些窍门,但我看不到。
我可以将标题“WWW-Authenticate”设置为“Negotiate”吗?
非常感谢您提供的任何帮助和想法。
public class ClientKerberosAuthentication {
public static void main(String[] args) throws Exception {
System.setProperty("java.security.auth.login.config", "login.conf");
System.setProperty("java.security.krb5.conf", "krb5.conf");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
DefaultHttpClient httpclient = new DefaultHttpClient();
try {
NegotiateSchemeFactory nsf = new NegotiateSchemeFactory();
httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);
List<String> authpref = new ArrayList<String>();
authpref.add(AuthPolicy.BASIC);
authpref.add(AuthPolicy.SPNEGO);
httpclient.getParams().setParameter(AuthPNames.PROXY_AUTH_PREF, authpref);
httpclient.getCredentialsProvider().setCredentials(
new AuthScope(null, -1, AuthScope.ANY_REALM, AuthPolicy.SPNEGO),
new UsernamePasswordCredentials("myuser", "mypass"));
System.out.println("----------------------------------------");
HttpUriRequest request = new HttpGet("http://localhost:8084/web-app/webdav/213/_test.docx");
HttpResponse response = httpclient.execute(request);
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
System.out.println("----------------------------------------");
if (entity != null) {
System.out.println(EntityUtils.toString(entity));
}
System.out.println("----------------------------------------");
// This ensures the connection gets released back to the manager
EntityUtils.consume(entity);
} finally {
httpclient.getConnectionManager().shutdown();
}
}
}
最佳答案
SPNEGO将不起作用,因为您使用localhost作为URL主机名。
为服务器配置了一组SPN(或至少一个SPN),这些SPN以在ActiveDirectory服务帐户中注册的HTTP/开头。您可以通过setspn -l yourServiceAccount从AD中查询它们。
您的URL必须使用ActiveDirectory中称为SPN的有效服务器主机名,以便Apache Http Client可以为此服务协商TGS并将其发送到您的服务器。