Добрых суток. Пытаюсь прикрутить kerberos к wildfly 15.0.1 (забегая вперёд, оно работает почти как надо).
Вот пример с apache+krb:
<Location />
AuthType Kerberos
AuthName "Kerberos authenticated intranet"
KrbAuthRealms MY.DOMAIN.COM
KrbServiceName HTTP/srv.my.domain.com
Krb5Keytab /etc/srv.my.domain.com.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On
require valid-user
</Location>
А вот c дикой мухой всё сложнее. Вот конфиг:
/subsystem=undertow/application-security-domain=mySPNEGO:read-resource
{
"outcome" => "success",
"result" => {
"enable-jacc" => false,
"enable-jaspi" => true,
"http-authentication-factory" => "spnegoHTTP",
"integrated-jaspi" => true,
"override-deployment-config" => true,
"security-domain" => undefined,
"setting" => undefined
}
}
/subsystem=elytron/http-authentication-factory=spnegoHTTP:read-resource
{
"outcome" => "success",
"result" => {
"http-server-mechanism-factory" => "global",
"mechanism-configurations" => [
{
"mechanism-name" => "SPNEGO",
"credential-security-factory" => "krbSPNEGO"
},
{"mechanism-name" => "BASIC"}
],
"security-domain" => "spnegoSD"
}
}
/subsystem=elytron/kerberos-security-factory=krbSPNEGO:read-resource
{
"outcome" => "success",
"result" => {
"debug" => true,
"fail-cache" => undefined,
"mechanism-names" => [
"KRB5",
"SPNEGO"
],
"mechanism-oids" => undefined,
"minimum-remaining-lifetime" => 0,
"obtain-kerberos-ticket" => true,
"options" => undefined,
"principal" => "HTTP/srv.my.domain.com@MY.DOMAIN.COM",
"request-lifetime" => 2147483647,
"required" => false,
"server" => true,
"wrap-gss-credential" => false,
"path" => "srv.my.domain.com.keytab",
"relative-to" => "jboss.server.config.dir"
}
}
/subsystem=elytron/security-domain=spnegoSD:read-resource
{
"outcome" => "success",
"result" => {
"default-realm" => "realmSPNEGO",
"outflow-anonymous" => false,
"outflow-security-domains" => undefined,
"permission-mapper" => "default-permission-mapper",
"post-realm-principal-transformer" => undefined,
"pre-realm-principal-transformer" => undefined,
"principal-decoder" => undefined,
"realm-mapper" => undefined,
"realms" => [{
"realm" => "realmSPNEGO",
"role-decoder" => "groups-to-roles"
}],
"role-mapper" => undefined,
"security-event-listener" => undefined,
"trusted-security-domains" => undefined
}
}
/subsystem=elytron/properties-realm=realmSPNEGO:read-resource
{
"outcome" => "success",
"result" => {
"groups-attribute" => "groups",
"groups-properties" => {
"path" => "spnego-roles.properties",
"relative-to" => "jboss.server.config.dir"
},
"users-properties" => {
"path" => "spnego-users.properties",
"relative-to" => "jboss.server.config.dir",
"digest-realm-name" => "MY.DOMAIN.COM",
"plain-text" => true
}
}
}
$ cat spnego-users.properties
aivanov@MY.DOMAIN.COM=
test@MY.DOMAIN.COM=
$ cat spnego-roles.properties
...<empty>...
Если заходить с машины в домене под пользователем, что прописан в spnego-users.properties, то всё работает. Но если это делать от другого пользователя, то не пускает.
Во всех статьях, что находились гуглом, предлагается использовать properties-realm с файлами пользователей и ролей из-за чего аутнетификация проходит только для тех, кто записан в файле пользователей (как в примере выше). Если же там никого не прописовать
09:46:36,027 TRACE [org.wildfly.security] (default task-1) PropertiesRealm: identity [test@MY.DOMAIN.COM] does not exist
09:46:36,027 TRACE [org.wildfly.security] (default task-1) Authorization failed - realm identity does not exists
09:56:52,410 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='BASIC' host-name='srv.my.domain.com' protocol='http'
09:56:52,410 TRACE [org.wildfly.security] (default task-1) Handling AvailableRealmsCallback: realms = []
09:56:52,410 DEBUG [org.wildfly.security.http.password] (default task-1) Username authentication. Realm: [null], Username: [test@MY.DOMAIN.COM].
09:56:52,410 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = test@MY.DOMAIN.COM
09:56:52,410 TRACE [org.wildfly.security] (default task-1) Principal assigning: [test@MY.DOMAIN.COM], pre-realm rewritten: [test@MY.DOMAIN.COM], realm name: [realmSPNEGO], post-realm rewritten: [test@MY.DOMAIN.COM], realm rewritten: [test@MY.DOMAIN.COM]
09:56:52,410 TRACE [org.wildfly.security] (default task-1) Attempting to authenticate account test@MY.DOMAIN.COM using LegacyPropertiesSecurityRealm.
09:56:52,410 DEBUG [org.wildfly.security.http.basic] (default task-1) User test@MY.DOMAIN.COM authentication failed.
09:56:52,410 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: fail
Может кто сталкивался с этим или располагает нормальной статьёй по этому поводу. Хотелось бы обойтись без LDAP (ведь apache и так может).
Заранее спасибо.