KerberosTemplate を使用して、kerberos 認証済み REST API に POST 要求を送信しています。
コマンド ラインで安全でない要求を正常に実行できますが、HTTP クライアントで安全な呼び出しを実行しようとすると、401 無許可エラーが返されます。
証明書の確認を使用していないため、無効にしようとしました。ドメインなしでユーザー名も試しましたが、影響はありません。
私も kerb4j rest テンプレートを試してみましたが、同じ問題が発生します。コードから、キータブファイルも存在することを確認していることもわかります。
助けていただきありがとうございます。
import ErrorHandlers.KerberosRestTemplateResponseErrorHandler;
import POJOs.PostBody;
import POJOs.PostResponse;
import com.fasterxml.jackson.databind.SerializationFeature;
//import com.kerb4j.client.spring.KerberosRestTemplate;
import org.springframework.security.kerberos.client.KerberosRestTemplate;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
import javax.net.ssl.SSLContext;
import java.io.File;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
public class KerbTemplate {
public static void main(String[] args) throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
PostBody postRequestBody = new PostBody();
postRequestBody.setAggregation("data");
postRequestBody.setEndDate("2119-03-30");
postRequestBody.setStartDate("1900-03-30");
postRequestBody.setMetadata(new String[] {"PARTIAL"});
postRequestBody.setSymbols(new String[] {"requestdata"});
postRequestBody.setModifiedDate("2019-07-20");
postRequestBody.setFirstWeekday("0");
TrustStrategy acceptingTrustStrategy = ((X509Certificate[] chain, String authType) -> true);
SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom().loadTrustMaterial(null, acceptingTrustStrategy).build();
SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);
CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(csf).build();
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(httpClient);
String base = System.getProperty("user.dir");
String keytab = base+ File.separator+"src"+File.separator+"main"+File.separator+"resources"+File.separator+"username.keytab";
System.out.println(keytab);
File f = new File(keytab);
if(f.exists() && !f.isDirectory()) {
System.out.println("File exists");
}
KerberosRestTemplate kerberosRestTemplate = new KerberosRestTemplate( keytab,"'username@domain",requestFactory.getHttpClient());
kerberosRestTemplate.setErrorHandler(new KerberosRestTemplateResponseErrorHandler());
MappingJackson2HttpMessageConverter jsonHttpMessageConverter = new MappingJackson2HttpMessageConverter();
jsonHttpMessageConverter.getObjectMapper().configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
kerberosRestTemplate.getMessageConverters().add(jsonHttpMessageConverter);
// Add CSRF header if required:
HttpHeaders headers = new HttpHeaders();
headers.set("X-Requested-By", "'username@domain");
headers.setContentType(MediaType.APPLICATION_JSON);
headers.set("Client-Type","Web");
headers.set("Client-UI-Component","Jim");
HttpEntity<PostBody> postRequest = new HttpEntity<PostBody>(postRequestBody, headers);
PostResponse pr = kerberosRestTemplate.postForObject("https://url.com/1/data/loadList", postRequest, PostResponse.class);
}
}
package ErrorHandlers;
import org.springframework.http.HttpStatus;
import org.springframework.http.client.ClientHttpResponse;
import org.springframework.web.client.ResponseErrorHandler;
import java.io.IOException;
public class KerberosRestTemplateResponseErrorHandler implements ResponseErrorHandler {
@Override
public boolean hasError(ClientHttpResponse httpResponse) throws IOException {
return (
httpResponse.getStatusCode().series() == HttpStatus.Series.CLIENT_ERROR
|| httpResponse.getStatusCode().series() == HttpStatus.Series.SERVER_ERROR);
}
@Override
public void handleError(ClientHttpResponse httpResponse) throws IOException {
System.out.println("Error Response code " + httpResponse.getRawStatusCode());
System.out.println(httpResponse.getStatusText());
System.out.println(httpResponse.getBody().toString());
}
}
部分的なログで更新
540 [main] DEBUG org.apache.http.client.protocol.RequestAddCookies - 選択された CookieSpec: デフォルト 21:58:30.561 [main] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth キャッシュがコンテキストに設定されていません 21 :58:30.565 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 接続要求: [ルート: {s}->myendpoint.com:443][合計キープアライブ: 0; 割り当てられたルート: 2 の 0。割り当てられた合計: 20 の 0] 21:58:30.587 [メイン] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - リースされた接続: [id: 0][ルート: {s}->myendpoint.com:443] [合計キープアライブ: 0; 割り当てられたルート: 2 の 1。割り当てられた合計: 20 の 1] 21:58:30.591 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - 接続を開く {s}->myendpoint.com:443 21:58:30.617 [main] DEBUG org .apache.http.impl.conn.
21:58:30.962 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - リクエスト POST /1/data/loadList HTTP/1.1 21:58:30.963 [main] DEBUG org.apache.http.impl を実行しています。 execchain.MainClientExec - ターゲット認証状態: UNCHALLENGED 21:58:30.968 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - プロキシ認証状態: UNCHALLENGED 21:58:30.976 [main] DEBUG org.apache.http.ヘッダー - http-outgoing-0 >> POST /1/data/loadList HTTP/1.1 21:58:30.979 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Accept: application/json, application /+json 21:58:30.979 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> クライアントタイプ: Fred 21:58:30.980 [main] DEBUG org.apache.http.headers - http-発信-0 >> コンテンツ タイプ: アプリケーション/json 21:58:30.981 [メイン] DEBUG org.apache.http.headers - http-outgoing-0 >> クライアント UI コンポーネント: ジム 21:58:30.981 [メイン] DEBUG org.apache.http.headers - http-outgoing-0 >> Content-Length: 220 21:58:30.982 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> ホスト: myendpoint。 com 21:58:30.983 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> 接続: キープアライブ 21:58:30.983 [main] DEBUG org.apache.http.headers - http-outgoing -0 >> ユーザーエージェント: Apache-HttpClient/4.5.9 (Java/1.8.0_212-3-redhat) 21:58:30.983 [メイン] DEBUG org.apache.http.headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate 21:58:30.984 [メイン] DEBUG org.apache.http.wire - http-outgoing-0 >> "POST /1/data/loadList HTTP/1.1[\r][\n]" 21:58:30.984 [メイン] DEBUG 組織.apache.http.wire - http-outgoing-0 >> "受け入れます: application/json, application/+json[\r][\n]" 21:58:30.984 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Client-Type: Fred[\r][\n]" 21:58:30.985 [メイン] DEBUG org.apache.http.wire - http-outgoing-0 >> "Content-Type: application/json[\r][\n]" 21:58:30.986 [メイン] DEBUG org.apache.http.wire - http-outgoing-0 >> "Client-UI-Component: Jim[\r][\n]" 21:58:30.986 [main] DEBUG org.apache.http.wire - http -outgoing-0 >> "Content-Length: 220[\r][\n]" 21:58:30.986 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "ホスト: myendpoint. com[\r][\n]" 21:58:30.988 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "接続: キープアライブ[\r][\n]" 21 :58:30.990 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> 「ユーザーエージェント: Apache-HttpClient/4.5.9 (Java/1.8.0_212-3-redhat)[\r][\n]" 21:58:30.990 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r ][\n]" 21:58:30.991 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "[\r][\n]" 21:58:30.992 [main] DEBUG org .apache.http.wire - http-outgoing-0 >> "{"firstWeekday":"0","metadata":["All"],"endDate":"2119-03-30","modifiedDate": "2019-07-20","集計":"DAILY","シンボル":["シンボル 1","シンボル 2"],"開始日":"1900-03-30"}" 21:58:31.043 [メイン] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 401 [\r][\n]"Accept-Encoding: gzip,deflate[\r][\n]" 21:58:30.991 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "[\r][\n]" 21:58:30.992 [メイン] DEBUG org.apache.http.wire - http-outgoing-0 >> "{"firstWeekday":"0","metadata":["All"],"endDate":"2119 -03-30","modifiedDate":"2019-07-20","集計":"DAILY","symbols":["symbol1","symbol2"],"startDate":"1900-03-30 "}" 21:58:31.043 [メイン] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 401 [\r][\n]"Accept-Encoding: gzip,deflate[\r][\n]" 21:58:30.991 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "[\r][\n]" 21:58:30.992 [メイン] DEBUG org.apache.http.wire - http-outgoing-0 >> "{"firstWeekday":"0","metadata":["All"],"endDate":"2119 -03-30","modifiedDate":"2019-07-20","集計":"DAILY","symbols":["symbol1","symbol2"],"startDate":"1900-03-30 "}" 21:58:31.043 [メイン] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 401 [\r][\n]"> "{"firstWeekday":"0","メタデータ":["すべて"],"endDate":"2119-03-30","modifiedDate":"2019-07-20","集計":" DAILY","symbols":["symbol1","symbol2"],"startDate":"1900-03-30"}" 21:58:31.043 [メイン] DEBUG org.apache.http.wire - http-outgoing -0 << "HTTP/1.1 401 [\r][\n]"> "{"firstWeekday":"0","メタデータ":["すべて"],"endDate":"2119-03-30","modifiedDate":"2019-07-20","集計":" DAILY","symbols":["symbol1","symbol2"],"startDate":"1900-03-30"}" 21:58:31.043 [メイン] DEBUG org.apache.http.wire - http-outgoing -0 << "HTTP/1.1 401 [\r][\n]""HTTP/1.1 401 [\r][\n]""HTTP/1.1 401 [\r][\n]"
nosniff[\r][\n]" 21:58:31.044 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "X-XSS-Protection: 1; mode=block[\r][\n]" 21:58:31.044 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Cache-Control: no-cache, no-store, max -age=0, must-revalidate[\r][\n]" 21:58:31.044 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Pragma: no-cache[\r ][\n]" 21:58:31.044 [メイン] DEBUG org.apache.http.wire - http-outgoing-0 << "有効期限: 0[\r][\n]" 21:58:31.044 [メイン] DEBUG org.apache.http.wire - http-outgoing-0 << "Strict-Transport-Security: max-age=31536000 ; includeSubDomains[\r][\n]" 21:58:31.044 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "X-Frame-Options: DENY[\r][\n] " 21:58:31.044 [メイン] DEBUG org.apache.http.
1; mode=block 21:58:31.051 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Cache-Control: no-cache, no-store, max-age=0, must-revalidate 21: 58:31.051 [メイン] DEBUG org.apache.http.headers - http-outgoing-0 << プラグマ: no-cache 21:58:31.051 [メイン] DEBUG org.apache.http.headers - http-outgoing-0 < < Expires: 0 21:58:31.051 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Strict-Transport-Security: max-age=31536000 ; includeSubDomains 21:58:31.051 [main] DEBUG org.apache.http.headers - http-outgoing-0 << X-Frame-Options: DENY 21:58:31.051 [main] DEBUG org.apache.http.headers - http -outgoing-0 << Transfer-Encoding: chunked 21:58:31.051 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Wed, 11 Sep 2019 20:58:31 GMT 21: 58:31.063 [メイン] DEBUG org.apache.http.impl.execchain.
21:58:31.096 [メイン] DEBUG org.apache.http.wire - http-outgoing-0 << "0[\r][\n]" 21:58:31.097 [メイン] DEBUG org.apache.http.ワイヤー - http-outgoing-0 << "[\r][\n]" 21:58:31.097 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 接続 [id: 0][route: { s}->myendpoint.com:443] 21:58:31.097 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: ソケット タイムアウトを 0 に設定 21:58 :31.097 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - 接続が解放されました: [id: 0][route: {s}->myendpoint.com:443][total keep alive: 1; 割り当てられたルート: 2 の 1。割り当てられた合計: 20 個中 1 個]
プロセスは終了コード 0 で終了しました