tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maarten van Hulsentop <>
Subject Tomcat SPNEGO valve - role assignment in 'grant-all' realm
Date Wed, 10 Oct 2012 09:30:25 GMT

We are configuring our Tomcat web application to authenticate using SPNEGO
(Kerberos in particular) on Tomcat 7.0.29.
Following the step-by-step 'Windows Authentication How-To', i succeeded
doing so. Part of setting it up was configuring a Realm that assigns a role
to the user, because the web application requires this. The Realm is
supposed to grant the role to any user, where the password equals the user

Now, as long as we combine the SPNEGOAuthenticator and this Realm, there is
no issue. But as soon as somebody starts using my special Realm in
combination with, lets say, the BasicAuthenticator, we have introduced a
huge security hole.

In my mind, the responsibilities are assigned differently. The Valves
(Authenticators) should be doing the HTTP request/header/login form/etc
handling, and the Realm should be doing the actual Authentication against
some data source. In the case of SPNEGO, the SPNEGOAuthenticator seems to
try to do the authentication as well, and only delegate to the Realm to
finally grant the role.

Now my questions are; am i right i my assumption of the responsibilities?
Should i be configuring this differently? or am i indeed on the right track?


Maarten van Hulsentop

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message