On 2024/06/11 16:47:37 Mark Thomas wrote: > On 11/06/2024 12:45, Michael Osipov wrote: > > On 2024/06/11 10:48:29 Mark Thomas wrote: > >> On 11/06/2024 11:14, micha...@apache.org wrote: > >>> This is an automated email from the ASF dual-hosted git repository. > >>> > >>> michaelo pushed a commit to branch main > >>> in repository https://gitbox.apache.org/repos/asf/tomcat.git > >>> > >>> > >>> The following commit(s) were added to refs/heads/main by this push: > >>> new 956c4577ca Add RealmBase.getPrincipal(GSSName, GSSCredential, > >>> GSSContext) > >>> 956c4577ca is described below > >>> > >>> commit 956c4577caedca7d77c5eb996a83ebafdf80b889 > >>> Author: Michael Osipov <micha...@apache.org> > >>> AuthorDate: Tue Jun 11 11:11:29 2024 +0200 > >>> > >>> Add RealmBase.getPrincipal(GSSName, GSSCredential, GSSContext) > >>> > >>> A realm might want to access extended/additional information from an > >>> established GSS context to properly build an authenticated princpal. > >>> One prominent example is > >>> com.sun.security.jgss.ExtendedGSSContext.inquireSecContext(InquireType). > >> > >> Do we want to deprecate the old method? > > > > A very good question. If removed in 11 then a custom component forn 10 will > > not work in 11. Though, those are just two lines to satisfy ABI. From a > > consistency perspective I'd deprecate remove. The problem is that if we > > deprecate the other method that would imply that GSSContext could be null > > and that would not be acceptable for that method because no inquiry would > > be possible. > > > > We have two use cases: > > * RealmBase.authenticate(GSSContext, boolean): > > Truly expects to come from a SPNEGO authenticator and will provide the GSS > > context, then passed to new method. > > * RealmBase.authenticate(GSSName, GSSCredential): > > Does not need to come from a SPNEGO authenticator, e.g. local testing (use > > current user) or from X.509 authentication the both obtained with protocol > > transition (S4U2proxy), then passed to getPrincipal(GSSName, GSSCredential) > > > > I need to think about wether it'd be whise to remove. What should never > > happen is: > > protected Principal getPrincipal(GSSName gssName, GSSCredential > > gssCredential) { > > return getPrincipal(gssName, gssCredential, null); > > } > > protected Principal getPrincipal(GSSName gssName, GSSCredential > > gssCredential, GSSContext gssContext) { > > ...do magic > > } > > from my point of view. For the time being I'd keep it. > > > > Thoughts? > > If there are use cases for both, I'm happy to keep both.
Let's keep both for at least one release. I need some time to assess the possible impact of a removal. M --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
