tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: SSO fails on Tomcat 9
Date Tue, 10 Sep 2019 13:38:10 GMT
On 06/09/2019 13:20, Heidi Leerink - Duverger wrote:
> Hello Mark,
> 
> That helps somewhat, my browser now shows the login page for our application, BUT I do
not get my username in HTTP variable REMOTE_USER but the principal keytab related name.
> 
> So instead of hduverge I get HTTP/nlsl-decadetst.u4agr.com@U$AGR.COM

The Tomcat Authenticator takes care of validating the user. In the
configuration you provided the JAASRealm is - effectively -
(re-)validating the contents of the keytab file. That is why you see the
keytab principal as the authenticated user.

Try replacing the JAASRealm with the AuthenticatedUserRealm. Something like:

  <Realm className="org.apache.catalina.realm.JAASRealm"
         allRolesMode="authOnly"

Note: This Realm should *only* be used with Authenticators like
org.apache.catalina.authenticator.SpnegoAuthenticator that authenticate
the user since this Realm simply takes the information provided and
assumes it is valid.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message