Folks,
I'd like to propose to get rid of that config option in 10 and deprecate
in previous versions for the following reasons:
* It suffers from abstraction: It assumes that the GSS name is always
email style w/o checking its OID
* The realm part, if any, is an integeral part of the principal. Much
like with an email address' domain. You wouldn't stip here too, would you?
* It is a surprise for clients having the princippal mutilated by
default. I trip over and over again this when I set up
UserDatabaseRealms for testing purposes I wonder why
michae...@example.com does not work.
* In a multi realm environment, it is perfectly fine and valid to have
user1@REALMA and user1@REALMB. These are distinct principals, but
treated by RealmBase equally, this has implications.
* Finally, when doing cert-based auth in an AD envinronment, is it
pretty common to extract the msUPN name from the cert's SAN which is
almost always email address (enteprise principal) which would end up in
michael.osipov, but where is the rest?!
Thoughts?
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
