tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: JNDI Realm and GSSAPI problems with TC 7
Date Fri, 06 Dec 2013 00:04:47 GMT
On 05/12/2013 14:48, Hendrik Dev wrote:
> Hi,
> i have a few questions about the JNDIRealm, GSSAPI (Kerberos 5 mech)
> authentication and the SPNEGO Authenticator Valve in TC 7.0.47:
> Preface: In the docs SPNEGO Authenticator Valve/JNDIRealm is called
> "30) Windows Authentication" but i guess its not only working for
> windows? I see no code which is explicitly tied to windows or active
> directory so i assume its also working for Linux/MIT Kerberos/OpenLDAP
> setup, is this true?

It *should* work with those but it has only been tested with:
- Windows domain controller
- Windows client
- Tomcat running on Windows Server
- Tomcat running on Ubuntu Server

The remainder of my reply is based on a combination of reading the
source and what I recall of my intentions when I implemented the SPNEGO
support rather than actual testing.

> What i try to achieve is that the JNDIRealm will use the user's (
> which is authenticated by the spnego valve) delegated credentials to
> connect to the LDAP server and then query the roles to which the users
> belongs to. This is not working for me for two reasons:
> 1) JndiRealm tries initially on startup to make a connection to the
> LDAP server which makes no sense because there are no GSSAPI
> credentials yet -> JndiRealm.startInternal() (Line 2225)

Either the directory will need to allow anonymous bind or you'll need to
define a user with minimal privs and provide the appropriate user name
and password in the connectionName and connectionPassword attributes.

> 2) After temporarily solving issue 1)

> the JNDI Realm prompt me for username and password.
Do you mean Tomcat tells your browser to display the BASIC auth password
dialog? Or do you mean something else? What are the HTTP headers at this

> This seems to be originating from the SASL Client default callback.
What are you basing that statement on?

> I tried to register my own callbackhandler
> (setting but it’s ignored.
What did you set this to?

> Inspecting the code of it seems that such a scenario is
> not indented
I assume you mean intended here.

Take another look at the getPrincipal(DirContext, String, GSSCredential)
method. Keep in mind that the SPNEGO authenticator is a little different
in that it doesn't obtain the username and credentials for a Realm to
validate. The SPNEGO authenticator provides an authenticated user and
their associated credentials. The Realms simply use the authenticated
user without further validation.

> but the docs argue the converse
The default behaviour with the JNDIRealm is to use the authenticated
client's credentials to obtain the roles.

> Any help is appreciated.
A good place to start would be for you to provide us with some
configuration details. The behaviour you seem to be aiming for is
supported and very close to the default. At this point this looks like a
configuration error but we can't help much if we can't see the


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message