https://bz.apache.org/bugzilla/show_bug.cgi?id=64222
b...@wigeogis.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|INVALID |WORKSFORME
--- Comment #4 from b...@wigeogis.com ---
Sorry for reopening. I already described my problem also at the SPNEGO help
forum https://sourceforge.net/p/spnego/discussion/1003769/thread/aa1abb0551/
This is just a comment with the complete documentation of how to solve it and
to help improving the documentation.
Looking for examples I finally managed to configure SSO successfully using the
hints of
http://tomcat.10.x6.nabble.com/Help-with-SPNEGO-Pass-Through-td5073933.html
(Also
https://blogs.nologin.es/rickyepoderi/index.php?/archives/160-Configuring-kerberosspnego-login-in-tomcat.html
seems to be a good and actual instruction.)
What I was missing in the fine documentation Windows authentication How-To
https://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
Here my example of how to configure an AuthenticatedUserRealm (Tomcat > 9.0.9)
in a correct way:
1. Follow the instructions under Domain Controller and Tomcat instance (Windows
server) concerning the $CATALINA_BASE/conf/tomcat.keytab,
$CATALINA_BASE/conf/krb5.ini and $CATALINA_BASE/conf/jaas.conf
2. Add a file $CATALINA_BASE/conf/Catalina/localhost/ROOT.xml with this
content:
<?xml version="1.0" encoding="utf-8"?>
<Context unpackWAR="true" reloadable="false" swallowOutput="true">
<!-- SSO configuration variant 1 (for a webapp using a SPNEGO login
configuration that just protects all jsp of the application, other variant is
to configure in conf/server.xml): additionally added the following Valve and
AuthenticatedUserRealm so that Tomcat return the user with
request.getRemoteUser() -->
<Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" />
<Realm className="org.apache.catalina.realm.AuthenticatedUserRealm"
allRolesMode="authOnly"/>
</Context>
This is the example for "If only the authenticated user name is required then
the AuthenticatedUserRealm may be used that will simply return a Principal
based on the authenticated user name that does not have any roles." sentence of
the documentation.
3. Configure $CATALINA_BASE/webapps/ROOT/WEB-INF/web.xml with this content:
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd";
version="2.5">
<description>
WepApp with a Login Configuration to allow request.getRemoteUser() in a
jsp
</description>
<display-name>WebApp with SSO (via Tomcat built-in SPNEGO)</display-name>
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNGEO realm</realm-name>
</login-config>
<security-role>
<description>all</description>
<role-name>ALL</role-name>
</security-role>
<security-constraint>
<display-name>Require user authentication only</display-name>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<!-- note that only jsp are secured, i.e. can use SSO -
difference to securing all with /* - but that way other servlets did not work
-->
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>**</role-name>
</auth-constraint>
</security-constraint>
</web-app>
This is the example for the Web application part of
https://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html#Web_application
4. Configure the client
I like the instructions from
https://support.pingidentity.com/s/article/How-to-configure-supported-browsers-for-Kerberos-NTLM
5. Test the configuration using a $CATALINA_BASE/webapps/getremoteuser.jsp with
the following content (idea very similar to hello_spnego.jsp from
http://spnego.sourceforge.net/spnego_tomcat.html )
<%@page import="java.io.PrintWriter" %>
<%@ page import="java.security.Principal" %>
<%
String userName = request.getRemoteUser();
Principal currentAuthenticatedUser = request.getUserPrincipal();
response.setContentType("text/plain; charset=UTF-8");
PrintWriter writer = new PrintWriter(response.getWriter());
writer.println("This is the username: ");
writer.println(userName);
writer.println("This is the principal: ");
if (currentAuthenticatedUser != null) {
writer.println(currentAuthenticatedUser.getName());
} else {
writer.println("no user currently authenticated");
}
%>
calling it using
http://localhost:8080/getremoteuser.jsp
returning
<username> (from request.getRemoteUser())
<username> (from request.getUserPrincipal().getName())
And maybe in the Apache documentation about the Windows authentication How-To
linking the 3rd party library SPNEGO you could add a hint that the documented
configuration from the "install guide - tomcat"
http://spnego.sourceforge.net/spnego_tomcat.html does not work any longer with
Tomcat >9.0.9
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
