We have upgraded from tomcat version 7.0.84 to 7.0.91. Users authenticate with our web app service using Kerberos logged in user credential. After upgrade, login started to fail.
It was because of this change due to which the modified method started returning null: https://github.com/apache/tomcat70/commit/7b7b5932b6618d13042732c77a4e19ea89b432e3#diff-6fec32edbbb606fe1d1888c99d74e665 User principal was KerberosPrincipal and the class was not specified in userClassNames in JAAS config of web application for tomcat. So, I added 'KerberosPrincipal' class in JAAS configuration. => "org.apache.catalina.realm.GenericPrincipal,javax.security.auth.kerberos.KerberosPrincipal" Now we are facing new issue. The principal being returned by JAASRealm->createPrincipal() is KerberosPrincipal and not GenericUserPrincipal which breaks our code. KerberosPrincipal does not have delegated credential. On debugging i found that, in JAASRealm->authenticate() method, loginContext.getSubject() returns server's subject and not client's. So, later in createPrincipal() call username is client's username but subject belongs to server. Is this an issue ? -- Regards, Vipul
