You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2019/08/21 20:17:22 UTC
[Bug 63681] New: Introduce RealmBase#authenticate(GSSName,
GSSCredential) and friends
https://bz.apache.org/bugzilla/show_bug.cgi?id=63681
Bug ID: 63681
Summary: Introduce RealmBase#authenticate(GSSName,
GSSCredential) and friends
Product: Tomcat 8
Version: 8.5.x-trunk
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: michaelo@apache.org
Target Milestone: ----
There are several situations where #authentiate(GSSContext, boolean) does not
cover all needs:
* You have a developer authenticator which obtains the GSSName of the currently
logged in principal, e.g.,
http://tomcatspnegoad.sourceforge.net/xref/net/sf/michaelo/tomcat/authenticator/CurrentWindowsIdentityAuthenticator.html#CurrentWindowsIdentityAuthenticator
* You perform protocol transition and have deduced the user's GSS name, e.g.,
MS-SFU
* You perform TLS cert auth and extract from SAN msUPN or the emailAdress
fields
* You completely lose the GSS name OID and cannot distinguish what type of name
that was, i.e., Kerberos principal, Kerberos enterprise princial, MS user
principal name, or an email address
* The authenticator has established and verified the security context for you
and passing required information only
* You perform authentication by a reserve proxy and pass that information with
request headers, e.g., https://github.com/modauthgssapi/mod_auth_gssapi
Along with this, we require to have #getPrincipal(GSSName) and
#getPrincipal(GSSName, GSSCredential). The former would simply call the latter
with a second argument null value.
#getPrincipal(String, GSSCredential) would be deprecated because it loses
information.
#isStripRealmForGss() would be called as late as possible in
#getPrincipal(GSSName, GSSCredential), leaving #authenticate() alone.
I will work this out in a separate branch.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63681] Introduce RealmBase#authenticate(GSSName, GSSCredential)
and friends
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63681
Michael Osipov <mi...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |michaelo@apache.org
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 63681] Introduce RealmBase#authenticate(GSSName, GSSCredential)
and friends
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63681
Michael Osipov <mi...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #1 from Michael Osipov <mi...@apache.org> ---
Fixed in:
- master for 9.0.30 onwards
- 8.5.x for 8.5.50 onwards
- 7.0.x for 7.0.99 onwards
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org