为 J2EE、.NET、Java™、Web Service 客户机创建用于 HTTP 请求的 SPNEGO 令牌
可以为您的应用程序创建“简单且受保护的 GSS-API 协商”(SPNEGO) 令牌并将此令牌插入到 HTTP 头中,以向 WebSphere® Application Server 认证。
过程
- 创建客户机 GSS 凭证。选择下列 4 个选项中的一项:
- 为 Kerberos 凭证高速缓存创建 GSS 凭证。 例如:
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2"); Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2"); GSSManager manager = GSSManager.getInstance(); GSSName gssUserName = manager.createName(userName, GSSName.NT_USER_NAME, krb5MechOid); clientGssCreds = manager.createCredential(gssUserName.canonicalize(krb5MechOid), GSSCredential.INDEFINITE_LIFETIME, krb5MechOid, GSSCredential.INITIATE_ONLY); clientGssCreds.add (gssUserName, GSSCredential.INDEFINITE_LIFETIME, GSSCredential.INDEFINITE_LIFETIME, spnegoMechOid, GSSCredential.INITIATE_ONLY);
- 为具有 Kerberos 凭单的主体集创建 GSS 凭证。 例如:
Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2"); Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2"); GSSManager manager = GSSManager.getInstance(); clientGssCreds = (GSSCredential) Subject.doAs(subject, new PrivilegedExceptionAction() { public Object run() throws GSSException, Exception { try { gssName = manager.createName( userName, GSSName.NT_USER_NAME, getKrb5MechOid()); GSSCredential gssCred = manager.createCredential( gssName.canonicalize(krb5MechOid), GSSCredential.DEFAULT_LIFETIME, krb5MechOid, GSSCredential.INITIATE_ONLY); gssCred.add (gssUserName, GSSCredential.INDEFINITE_LIFETIME, GSSCredential.INDEFINITE_LIFETIME, spnegoMechOid, GSSCredential.INITIATE_ONLY); return gssCred; } catch (GSSException gsse) { } catch (Exception e) { } return null; } });
- 在调用 WSKRB5Login 登录模块后创建 GSS 凭证。 例如:
Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2"); Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2"); System.setProperty("javax.security.auth.useSubjectCredsOnly", "true"); GSSManager manager = GSSManager.getInstance(); GSSName gssUserName = manager.createName(userName, GSSName.NT_USER_NAME, krb5MechOid); clientGssCreds = manager.createCredential(gssUserName.canonicalize(krb5MechOid), GSSCredential.INDEFINITE_LIFETIME, krb5MechOid, GSSCredential.INITIATE_ONLY); clientGssCreds.add (gssUserName, GSSCredential.INDEFINITE_LIFETIME, GSSCredential.INDEFINITE_LIFETIME, spnegoMechOid, GSSCredential.INITIATE_ONLY);
- 使用 Microsoft 本机 Kerberos 凭证高速缓存创建 GSS 凭证。 例如:
Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2"); Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2"); System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); GSSManager manager = GSSManager.getInstance(); clientGssCreds = manager.createCredential(null, GSSCredential.INDEFINITE_LIFETIME, krb5MechOid, GSSCredential.INITIATE_ONLY); clientGssCreds.add(null, GSSCredential.INDEFINITE_LIFETIME, GSSCredential.INDEFINITE_LIFETIME, spnegoMechOid, GSSCredential.INITIATE_ONLY);
注: MSLSA:凭证高速缓存依靠能力来抽取整个 Kerberos 凭单,包括 Kerberos LSA 的会话密钥。 . 在尝试提高安全性时,Microsoft 已经开始实现一种功能。通过该功能,它们不再为凭单获取凭单导出会话密钥,这将导致在尝试请求附加服务凭单时,它们对于 IBM® JGSS 而言没有用。此新功能已存在于 Windows 2003 Server 和 Windows XP SP2 Beta 中。Microsoft 提供了以下注册表键以禁用此功能:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters AllowTGTSessionKey = 0x01 (DWORD)
在 Windows XP SP2 Beta 1 上,该键指定为:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos AllowTGTSessionKey = 0x01 (DWORD)
- 为 Kerberos 凭证高速缓存创建 GSS 凭证。 例如:
- 创建客户机 GSS 凭证后,您就可以创建 SPNEGO 令牌并将其插入 HTTP 头中,如下列所示:
// create target server SPN GSSName gssServerName = manager.createName(targetServerSpn, GSSName.NT_USER_NAME); GSSContext clientContext = manager.createContext(gssServerName.canonicalize(spnegoMechOid), spnegoMechOid, clientGssCreds, GSSContext.DEFAULT_LIFETIME); // optional enable GSS credential delegation clientContext.requestCredDeleg(true); byte[] spnegoToken = new byte[0]; // create a SPNEGO token for the target server spnegoToken = clientContext.initSecContext(spnegoToken, 0, spnegoToken.length); URL url = new URL(targetUrl); HttpURLConnection con= (HttpURLConnection) url.openConnection(); try { // insert SPNEGO token in the HTTP header con.setRequestProperty("Authorization", "Negotiate " + Base64.encode(spnegoToken)); con.getResponseCode(); } catch (IOException e) { } catch (Exception ex) { }
结果
您的应用程序可能需要 Kerberos 配置文件(krb5.ini 或 krb5.conf)。请参阅创建 Kerberos 配置文件以了解更多信息。
相关任务:


http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=tsec_SPNEGO_token
文件名:tsec_SPNEGO_token.html