tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 48685] Spnego Support in Tomcat
Date Fri, 01 Apr 2011 11:10:22 GMT

--- Comment #40 from Michael Osipov <> 2011-04-01 07:10:15 EDT ---

there are some glitches which have to be addressed in my opinion:
- DEFAULT_SPN_CLASS is never used, forgot to delete?
- DEFAULT_KRB5_CONF value: .ini is Windows style, on Unix is krb5.conf only. I
would stick to that convention. I.e., split in two props.
- DEFAULT_LOGIN_MODULE_NAME value: this is Oracle-specific, I would rather use
a vendor-agnostic name like 'tomcat-accept'. (Same rule as in tomcat.keytab)

- 'storeDelegatedCredentials' rename to 'storeDelegatedCredential' since
GSSContext uses singular and the realm does the same, applies to may JavaDocs
- It might be worth checking of '/etc/krb5.conf' or 'C:\Windows\krb5.ini'
because those are default locations on those OSs and this is what the JVM does
if you did not overwrite the property. See
=> Locating the krb5.conf Configuration File
- 'stripAtForGss' rename to 'stripRealm'. I think this one reads better.
- There is no option to sign in with Kerberos into a directory server. Only
delegated credential works. This might be problematic if some user account is
not trusted for cred deleg. I don't like to fall back to plain password. Did I
miss that spot in the code?
- Property '' should be configurable.
It applies at least to GSSAPI.
- Property '' should be configurable. It applies at
least to GSSAPI *and* DIGEST-MD5.
See here for more ref:

I did not yet try the code, I just made a review. I will check docs separately.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message