https://bz.apache.org/bugzilla/show_bug.cgi?id=63681
Bug ID: 63681
Summary: Introduce RealmBase#authenticate(GSSName,
GSSCredential) and friends
Product: Tomcat 8
Version: 8.5.x-trunk
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ----
There are several situations where #authentiate(GSSContext, boolean) does not
cover all needs:
* You have a developer authenticator which obtains the GSSName of the currently
logged in principal, e.g.,
http://tomcatspnegoad.sourceforge.net/xref/net/sf/michaelo/tomcat/authenticator/CurrentWindowsIdentityAuthenticator.html#CurrentWindowsIdentityAuthenticator
* You perform protocol transition and have deduced the user's GSS name, e.g.,
MS-SFU
* You perform TLS cert auth and extract from SAN msUPN or the emailAdress
fields
* You completely lose the GSS name OID and cannot distinguish what type of name
that was, i.e., Kerberos principal, Kerberos enterprise princial, MS user
principal name, or an email address
* The authenticator has established and verified the security context for you
and passing required information only
* You perform authentication by a reserve proxy and pass that information with
request headers, e.g., https://github.com/modauthgssapi/mod_auth_gssapi
Along with this, we require to have #getPrincipal(GSSName) and
#getPrincipal(GSSName, GSSCredential). The former would simply call the latter
with a second argument null value.
#getPrincipal(String, GSSCredential) would be deprecated because it loses
information.
#isStripRealmForGss() would be called as late as possible in
#getPrincipal(GSSName, GSSCredential), leaving #authenticate() alone.
I will work this out in a separate branch.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
