On 05/11/2018 12:24, Vipul Mehta wrote: > We have upgraded from tomcat version 7.0.84 to 7.0.91. > Users authenticate with our web app service using Kerberos logged in user > credential. After upgrade, login started to fail. > > It was because of this change due to which the modified method started > returning null: > > https://github.com/apache/tomcat70/commit/7b7b5932b6618d13042732c77a4e19ea89b432e3#diff-6fec32edbbb606fe1d1888c99d74e665 > > > User principal was KerberosPrincipal and the class was not specified in > userClassNames in JAAS config of web application for tomcat. So, I added > 'KerberosPrincipal' class in JAAS configuration. > > => > "org.apache.catalina.realm.GenericPrincipal,javax.security.auth.kerberos.KerberosPrincipal" > > > Now we are facing new issue. The principal being returned by > JAASRealm->createPrincipal() is KerberosPrincipal and not > GenericUserPrincipal which breaks our code. > > KerberosPrincipal does not have delegated credential. > > > On debugging i found that, in JAASRealm->authenticate() method, > loginContext.getSubject() returns server's subject and not client's. So, > later in createPrincipal() call username is client's username but subject > belongs to server. Is this an issue ?
I've spun up the VMs I use for testing this and checked Tomcat 7.0.88 (the last version before the change above) and 7.0.x. The environment is configured as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html and uses the JNDI Realm. Both work as expected with no configuration changes required. It isn't clear from the original post how the JAAS Realm has been configured. At present this looks like a configuration issue which means the users list is the place to follow this up. You'll need to provide enough information for the problem to be replicated. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
