尝试通过协商进行身份验证时检测到有缺陷的令牌我还发现 curl 命令中生成的令牌以"TIR"开头,而 java 代码生成的令牌以"YII"开头。
Curl 命令工作正常 curl -v -i --negotiate -u : "http://server/path">
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("sun.security.jgss.debug", "true");
SpnegoClient spnegoClient = SpnegoClient.loginWithUsernamePassword("<user>", "<pwd>");
URL url = new URL("http://<server>/<path>");
SpnegoContext context = spnegoClient.createContext(url);
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
System.out.println("createToken: "+context.createTokenAsAuthroizationHeader());
conn.setRequestProperty("Authorization", context.createTokenAsAuthroizationHeader());
conn.connect();
System.out.println("ResponseCode: "+conn.getResponseCode());
输出消息:
createToken: Negotiate YIICKAYGKwYBBQUCoIICHDCCAhigDTALBgkqhkiG9xIBAgKhBAMCAXaiggH/BIIB+2CCAfcGCSqGSIb3EgECAgEAboIB5jCCAeKgAwIBBaEDAgEOogcDBQAgAAAAo4IBEmGCAQ4wggEKoAMCAQWhEhsQTFVDSURURUNIU09MLkNPTaIhMB+gAwIBAKEYMBYbBEhUVFAbDjE5Mi4xNjguMTY4LjMyo4HLMIHIoAMCAQOhAwIBCaKBuwSBuCjSsDSOucrIdDiuFNWft/MFjHqRDHHnY5s7FmGJQEOD18sABBL+gZ4ENArT65ddjmmtGLhJ8glMN8Cv8y+JDX54sUZ/IoSqot8h+VuPJsCBeEYWN+556iscViQTyiiGFao+VcVPoGUdNEUg80P4A/VZr6hs5o7qVWH88I3iv7Afn6zhxPiG1bQKBafXCluPfiMr1EN4KY2YglmV+TWQLSrBM+O+uTCTrCcMgzBcKChV14cP2KgpeWekgbYwgbOgAwIBAaKBqwSBqMREjYc0vDQ2/BqGEEqnhbBI0NQOL57e17t1uSU5cr9U5S16WLlj01f7QUNF5cZji5/K9Y+WhrwguKZqQ0ifni7pTjWwabjJVDcNLjpXzJHcNDIjSrh8KdpJu1IHYsJ8NH4SejNUbRfIAyHCl9jNAK1IhIqJ8HfrzQreyV1nG2RjA8mwZ8d/Gh+peFHSYJpi/hVXFFlngUI8AYk61k+vhiHqh/er/AoJrg==
Exception in thread "main" java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : Short read of DER length))
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at com.kerb4j.client.SpnegoContext.createToken(SpnegoContext.java:31)
at com.kerb4j.client.SpnegoContext.createTokenAsAuthroizationHeader(SpnegoContext.java:41)
at com.lucid.negotiate.App.main(App.java:60)
Caused by: GSSException: Defective token detected (Mechanism level: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : Short read of DER length))
at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:454)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at com.kerb4j.client.SpnegoContext$1.run(SpnegoContext.java:34)
at com.kerb4j.client.SpnegoContext$1.run(SpnegoContext.java:31)
... 5 more
Caused by: GSSException: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : Short read of DER length)
at sun.security.jgss.spnego.NegTokenTarg.parseToken(NegTokenTarg.java:192)
at sun.security.jgss.spnego.NegTokenTarg.<init>(NegTokenTarg.java:75)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:350)
... 9 more
GSS 数据(编码为 Base64(,开头为:
- "YII"使用Kerberos作为SPNEGO子机制。
- "TIR"使用NTLM作为SPNEGO子机制。
即 CURL 建议将 NTLM 作为首选机制,而您的 Java 客户端正在尝试使用 Kerberos。