tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 48685] Spnego Support in Tomcat
Date Fri, 01 Apr 2011 12:41:31 GMT

--- Comment #42 from Michael Osipov <> 2011-04-01 08:41:22 EDT ---

I just compiled and deployed 7.0.12-dev to our test server. It works but fails
at some point.
The default server.xml is configured with:
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"

The Authentication fails at: UserDatabaseRealm line 215 because the use cannot
be found in the database.

I think there is a huge misconception from your point of view. Kerberos is not
something which simply passes credentials to a realm. Kerberos IS THE REALM.
You cannot and should not pass that username to any other realm but to an
authorizing realm. In this case the user cannot be authenticated and gets
locked out. The way it is coded right now won't work.
Kerberos sole purpose is to indentify the user properly and this works
flawlessly in my Eclipse debug session and in Fiddler.


Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message