首頁 探索 說明
註冊 登入
github
/
spring-security
镜像来自 https://github.com/spring-projects/spring-security
2
0
複刻 0
檔案 問題管理 0 Wiki
目錄樹: 9dc27bee03
分支列表 標籤列表
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
servlet
/
authentication
/
kerberos
/
samples.adoc

samples.adoc 6.2 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225 
  1. [[springsecuritykerberossamples]]
    2. 

  2. = Spring Security Kerberos Samples
    3. 

  3. :figures: servlet/authentication/kerberos
    4. 

  4. 

  5. This part of the reference documentation is introducing samples
    6. 

  6. projects. Samples can be compiled manually by building main
    7. 

  7. distribution from
    8. 

  8. https://github.com/spring-projects/spring-security-kerberos.
    9. 

  9. 

  10. [IMPORTANT]
    11. 

  11. ====
    12. 

  12. If you run sample as is it will not work until a correct configuration
    13. 

  13. is applied. See notes below for specific samples.
    14. 

  14. ====
    15. 

  15. 

  16. <<samples-sec-server-win-auth>> sample for Windows environment
    17. 

  17. 

  18. <<samples-sec-server-client-auth>> sample using server side authenticator
    19. 

  19. 

  20. <<samples-sec-server-spnego-form-auth>> sample using ticket validation
    21. 

  21. with spnego and form
    22. 

  22. 

  23. <<samples-sec-client-rest-template>> sample for KerberosRestTemplate
    24. 

  24. 

  25. [[samples-sec-server-win-auth]]
    26. 

  26. == Security Server Windows Auth Sample
    27. 

  27. Goals of this sample:
    28. 

  28. 

  29. - In windows environment, User will be able to logon to application
    30. 

  30.   with Windows Active directory Credential which has been entered
    31. 

  31.   during log on to windows. There should not be any ask for
    32. 

  32.   userid/password credentials.
    33. 

  33. - In non-windows environment, User will be presented with a screen
    34. 

  34.   to provide Active directory credentials.
    35. 

  35. 

  36. [source,yaml,indent=0]
    37. 

  37. ----
    38. 

  38. server:
    39. 

  39.     port: 8080
    40. 

  40.     app:
    41. 

  41.         ad-domain: EXAMPLE.ORG
    42. 

  42.         ad-server: ldap://WIN-EKBO0EQ7TS7.example.org/
    43. 

  43.         service-principal: HTTP/neo.example.org@EXAMPLE.ORG
    44. 

  44.         keytab-location: /tmp/tomcat.keytab
    45. 

  45.         ldap-search-base: dc=example,dc=org
    46. 

  46.         ldap-search-filter: "(| (userPrincipalName={0}) (sAMAccountName={0}))"
    47. 

  47. ----
    48. 

  48. In above you can see the default configuration for this sample. You
    49. 

  49. can override these settings using a normal Spring Boot tricks like
    50. 

  50. using command-line options or custom `application.yml` file.
    51. 

  51. 

  52. Run a server.
    53. 

  53. [source,text,subs="attributes"]
    54. 

  54. ----
    55. 

  55. $ java -jar sec-server-win-auth-{spring-security-version}.jar
    56. 

  56. ----
    57. 

  57. 

  58. [IMPORTANT]
    59. 

  59. ====
    60. 

  60. You may need to use custom kerberos config with Linux either by using
    61. 

  61. `-Djava.security.krb5.conf=/path/to/krb5.ini` or
    62. 

  62. `GlobalSunJaasKerberosConfig` bean.
    63. 

  63. ====
    64. 

  64. 

  65. [NOTE]
    66. 

  66. ====
    67. 

  67. See xref:servlet/authentication/kerberos/appendix.adoc#setupwinkerberos[Setup Windows Domain Controller]
    68. 

  68. for more instructions how to work with windows kerberos environment.
    69. 

  69. ====
    70. 

  70. 

  71. Login to `Windows 8.1` using domain credentials and access sample
    72. 

  72. 

  73. image::{figures}/ie1.png[]
    74. 

  74. image::{figures}/ie2.png[]
    75. 

  75. 

  76. Access sample application from a non windows vm and use domain
    77. 

  77. credentials manually.
    78. 

  78. 

  79. image::{figures}/ff1.png[]
    80. 

  80. image::{figures}/ff2.png[]
    81. 

  81. image::{figures}/ff3.png[]
    82. 

  82. 

  83. 

  84. [[samples-sec-server-client-auth]]
    85. 

  85. == Security Server Side Auth Sample
    86. 

  86. This sample demonstrates how server is able to authenticate user
    87. 

  87. against kerberos environment using his credentials passed in via a
    88. 

  88. form login.
    89. 

  89. 

  90. Run a server.
    91. 

  91. [source,text,subs="attributes"]
    92. 

  92. ----
    93. 

  93. $ java -jar sec-server-client-auth-{spring-security-version}.jar
    94. 

  94. ----
    95. 

  95. 

  96. [source,yaml,indent=0]
    97. 

  97. ----
    98. 

  98. server:
    99. 

  99.     port: 8080
    100. 

  100. ----
    101. 

  101. 

  102. [[samples-sec-server-spnego-form-auth]]
    103. 

  103. == Security Server Spnego and Form Auth Sample
    104. 

  104. This sample demonstrates how a server can be configured to accept a
    105. 

  105. Spnego based negotiation from a browser while still being able to fall
    106. 

  106. back to a form based authentication.
    107. 

  107. 

  108. Using a `user1` principal xref:servlet/authentication/kerberos/appendix.adoc#setupmitkerberos[Setup MIT Kerberos],
    109. 

  109. do a kerberos login manually using credentials.
    110. 

  110. [source,text]
    111. 

  111. ----
    112. 

  112. $ kinit user1
    113. 

  113. Password for user1@EXAMPLE.ORG:
    114. 

  114. 

  115. $ klist
    116. 

  116. Ticket cache: FILE:/tmp/krb5cc_1000
    117. 

  117. Default principal: user1@EXAMPLE.ORG
    118. 

  118. 

  119. Valid starting     Expires            Service principal
    120. 

  120. 10/03/15 17:18:45  11/03/15 03:18:45  krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
    121. 

  121.   renew until 11/03/15 17:18:40
    122. 

  122. ----
    123. 

  123. 

  124. or using a keytab file.
    125. 

  125. 

  126. [source,text]
    127. 

  127. ----
    128. 

  128. $ kinit -kt user2.keytab user1
    129. 

  129. 

  130. $ klist
    131. 

  131. Ticket cache: FILE:/tmp/krb5cc_1000
    132. 

  132. Default principal: user2@EXAMPLE.ORG
    133. 

  133. 

  134. Valid starting     Expires            Service principal
    135. 

  135. 10/03/15 17:25:03  11/03/15 03:25:03  krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
    136. 

  136.   renew until 11/03/15 17:25:03
    137. 

  137. ----
    138. 

  138. 

  139. Run a server.
    140. 

  140. [source,text,subs="attributes"]
    141. 

  141. ----
    142. 

  142. $ java -jar sec-server-spnego-form-auth-{spring-security-version}.jar
    143. 

  143. ----
    144. 

  144. 

  145. Now you should be able to open your browser and let it do Spnego
    146. 

  146. authentication with existing ticket.
    147. 

  147. 

  148. [NOTE]
    149. 

  149. ====
    150. 

  150. See xref:servlet/authentication/kerberos/appendix.adoc#browserspnegoconfig[Configure Browsers for Spnego Negotiation]
    151. 

  151. for more instructions for configuring browsers to use Spnego.
    152. 

  152. ====
    153. 

  153. 

  154. [source,yaml,indent=0]
    155. 

  155. ----
    156. 

  156. server:
    157. 

  157.     port: 8080
    158. 

  158. app:
    159. 

  159.     service-principal: HTTP/neo.example.org@EXAMPLE.ORG
    160. 

  160.     keytab-location: /tmp/tomcat.keytab
    161. 

  161. ----
    162. 

  162. 

  163. [[samples-sec-client-rest-template]]
    164. 

  164. == Security Client KerberosRestTemplate Sample
    165. 

  165. This is a sample using a Spring RestTemplate to access Kerberos
    166. 

  166. protected resource. You can use this together with
    167. 

  167. <<samples-sec-server-spnego-form-auth>>.
    168. 

  168. 

  169. Default application is configured as shown below.
    170. 

  170. [source,yaml,indent=0]
    171. 

  171. ----
    172. 

  172. app:
    173. 

  173.     user-principal: user2@EXAMPLE.ORG
    174. 

  174.     keytab-location: /tmp/user2.keytab
    175. 

  175.     access-url: https://neo.example.org:8080/hello
    176. 

  176. ----
    177. 

  177. 

  178. 

  179. Using a `user1` principal xref:servlet/authentication/kerberos/appendix.adoc#setupmitkerberos[Setup MIT Kerberos],
    180. 

  180. do a kerberos login manually using credentials.
    181. 

  181. [source,text,subs="attributes"]
    182. 

  182. ----
    183. 

  183. $ java -jar sec-client-rest-template-{spring-security-version}.jar --app.user-principal --app.keytab-location
    184. 

  184. ----
    185. 

  185. 

  186. [NOTE]
    187. 

  187. ====
    188. 

  188. In above we simply set `app.user-principal` and `app.keytab-location`
    189. 

  189. to empty values which disables a use of keytab file.
    190. 

  190. ====
    191. 

  191. 

  192. If operation is succesfull you should see below output with `user1@EXAMPLE.ORG`.
    193. 

  193. [source,text]
    194. 

  194. ----
    195. 

  195. <html xmlns="https://www.w3.org/1999/xhtml"
    196. 

  196.       xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
    197. 

  197.   <head>
    198. 

  198.     <title>Spring Security Kerberos Example</title>
    199. 

  199.   </head>
    200. 

  200.   <body>
    201. 

  201.     <h1>Hello user1@EXAMPLE.ORG!</h1>
    202. 

  202.   </body>
    203. 

  203. </html>
    204. 

  204. ----
    205. 

  205. 

  206. Or use a `user2` with a keytab file.
    207. 

  207. [source,text,subs="attributes"]
    208. 

  208. ----
    209. 

  209. $ java -jar sec-client-rest-template-{spring-security-version}.jar
    210. 

  210. ----
    211. 

  211. 

  212. If operation is succesfull you should see below output with `user2@EXAMPLE.ORG`.
    213. 

  213. [source,text]
    214. 

  214. ----
    215. 

  215. <html xmlns="https://www.w3.org/1999/xhtml"
    216. 

  216.       xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
    217. 

  217.   <head>
    218. 

  218.     <title>Spring Security Kerberos Example</title>
    219. 

  219.   </head>
    220. 

  220.   <body>
    221. 

  221.     <h1>Hello user2@EXAMPLE.ORG!</h1>
    222. 

  222.   </body>
    223. 

  223. </html>
    224. 

  224. ----
    225. 

  225.