tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <>
Subject SpnegoAuthenticator feedback
Date Wed, 20 Apr 2011 20:00:12 GMT
Here are some thoughts on the implementation

1. | is not needed
This definition is not needed in jaas.conf. Tomcat is not a client in this case, it's a server
accepting tickets.
the .initiate is only for clients that request a Kerberos ticket from the KDC.
The example works fine removing this entry all together.

2. is not configurable
While the authenticator has the attribute loginConfigName, there seems to be a place in the
code where it omits this entry.
renaming this entry in jaas.conf and setting the loginConfigName will fail to validate a ticket

The problem code is here:

             gssContext = manager.createContext(manager.createCredential(null,
                     new Oid(""),

should look like
             final GSSManager manager = GSSManager.getInstance();
             final PrivilegedExceptionAction<GSSCredential> action =
                 new PrivilegedExceptionAction<GSSCredential>() {
                     public GSSCredential run() throws GSSException {
                         return manager.createCredential(null,
                                 new Oid(""),
             gssContext = manager.createContext(Subject.doAs(lc.getSubject(), action));||


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message