首頁猿問 Kerberos...

Kerberos 委派：GSSUtil.createSubject 僅返回主體名稱

Java

哈士奇WWW 2022-12-15 15:21:02

我正在做 kerberos 委派。我注意到它GSSUtil.createSubject(context.getSrcName(), clientCred)返回一個沒有憑據(jù)的主題。在此之前，我已經完成GSSCredential clientCred = context.getDelegCred();了返回憑據(jù)的操作。編輯：當我從同一域中的一臺機器訪問我的服務時，它可以工作，而如果從同一域中的其他機器訪問，它就不會。對 AD 需要哪些額外設置感到困惑？非常感謝任何幫助。以下是我的代碼：public class KerberosTest { public Subject loginImpl(byte[] kerberosTicket, String propertiesFileName) throws Exception { System.setProperty("sun.security.krb5.debug", "true");// // no effect // System.setProperty("javax.security.auth.useSubjectCredsOnly","false"); final Krb5LoginModule krb5LoginModule = new Krb5LoginModule(); Subject serviceUserSubject = new Subject(); final Map<String,String> optionMap = new HashMap<String,String>(); HashMap<String, String> shared = new HashMap<>(); optionMap.put("keyTab", "C:\\kerberos_files\\sapuser.keytab"); optionMap.put("principal", "HTTP/SAPTEST@EQSECTEST.LOCAL"); // default realm// optionMap.put("principal", "kerberosuser"); // default realm optionMap.put("useFirstPass", "true"); optionMap.put("doNotPrompt", "true"); optionMap.put("refreshKrb5Config", "true"); optionMap.put("useTicketCache", "false"); optionMap.put("renewTGT", "false"); optionMap.put("useKeyTab", "true"); optionMap.put("storeKey", "true"); optionMap.put("isInitiator", "true"); optionMap.put("useSubjectCredsOnly", "false"); optionMap.put("debug", "true"); // switch on debug of the Java implementation krb5LoginModule.initialize(serviceUserSubject, null, shared, optionMap); // login using details mentioned inside keytab boolean loginOk = krb5LoginModule.login(); System.out.println("Login success: " + loginOk); // This API adds Kerberos Credentials to the the Subject's private credentials set boolean commitOk = krb5LoginModule.commit(); } }

查看完整描述