tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: SpnegoAuthenticator feedback
Date Thu, 21 Apr 2011 17:51:08 GMT
On 4/21/2011 3:09 AM, Mark Thomas wrote:
> On 20/04/2011 21:00, Filip Hanik - Dev Lists wrote:
>> Here are some thoughts on the implementation
> Thanks for the feedback.
>
>> 1. |com.sun.security.jgss.initiate is not needed
>> This definition is not needed in jaas.conf. Tomcat is not a client in
>> this case, it's a server accepting tickets.
>> the .initiate is only for clients that request a Kerberos ticket from
>> the KDC.
>> The example works fine removing this entry all together.
> I think this will be required when we add support for using the server's
> delegated credentials to connect to the directory to retrieve user
> roles. I'll check this when I implement it and will remove it if I can.
yes, if you want tomcat to act as a client.
Acting like a client will mean a few different things, like
- configuring the module name for the client
- I'm pretty sure the configuration will be different here, you should not need a keytab or
principal, you're a client in this case.


>> 2. com.sun.security.jgss.krb5.accept is not configurable
>> While the authenticator has the attribute loginConfigName, there seems
>> to be a place in the code where it omits this entry.
>> renaming this entry in jaas.conf and setting the loginConfigName will
>> fail to validate a ticket
> Thanks. I'll add a BZ entry for this. I should be able to get to in in
> time for 7.0.13 (unless someone beats me to it).

much appreciated
Filip


> Mark
>
>> The problem code is here:
>>
>>              gssContext =
>> manager.createContext(manager.createCredential(null,
>>                      GSSCredential.DEFAULT_LIFETIME,
>>                      new Oid("1.3.6.1.5.5.2"),
>>                      GSSCredential.ACCEPT_ONLY));
>>
>> should look like
>>              final GSSManager manager = GSSManager.getInstance();
>>              final PrivilegedExceptionAction<GSSCredential>  action =
>>                  new PrivilegedExceptionAction<GSSCredential>() {
>>                      public GSSCredential run() throws GSSException {
>>                          return manager.createCredential(null,
>>                                  GSSCredential.DEFAULT_LIFETIME,
>>                                  new Oid("1.3.6.1.5.5.2"),
>>                                  GSSCredential.ACCEPT_ONLY);
>>                      }
>>                  };
>>              gssContext =
>> manager.createContext(Subject.doAs(lc.getSubject(), action));||
>>
>>
>> best
>> Filip
>> |
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1321 / Virus Database: 1500/3586 - Release Date: 04/20/11
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message