Java 8 update 161 breaks HTTPClient Kerberos authe

2019-08-12 12:22发布

站内文章 / Java
92 0 0

问题:

My HTTPClient Kerberos authentication set up is similar to this one. My login.conf looks like this:

com.sun.security.jgss.login {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  useKeyTab=true
  storeKey=true
  keyTab=<principal>
  principal=<keytab>;
};
com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};

This setup has been working for me with jdk8u151, but Oracle released jdk8u161 recently, and it no longer works. Debug looks like this:

Comparing debug logs, jdk8u161 stops at this line:

CCacheInputStream: readFlags()

while jdk8u151 follows that line with

unsupported key type found the default TGT: 18

I added 

default_tkt_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc

to krb5.conf, but it doesn't help.

回答1:

Found my own answer:

  • Remove all useTicketCache=true from login.conf
  • Add rc4-hmac to default_tkt_enctypes, default_tgs_enctypes, and permitted_enctypes

login.conf now looks like this:

com.sun.security.jgss.login {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};
com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};

and krb5.conf:

[libdefaults]
  ...
  default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  permitted_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  ...


标签: java security authentication kerberos apache-httpclient-4.x
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~