natalia-s-ivanova commented on PR #819: URL: https://github.com/apache/tomcat/pull/819#issuecomment-2665172175
> @natalia-s-ivanova I do now understand your problem and it not related to the `SpnegoAuthenticator` at all. It is design flaw in the realm system which assumes that the realm verifies credentials, but this does not apply to client certificates and any GSS based mechanism. The JNDIRealm will not help you here. You need a realm which is aware of that fact: https://github.com/michael-o/tomcatspnegoad/blob/e2d95c6708b7ae726acf882ba680534fa5ec8dcc/tomcat90/src/main/java/net/sf/michaelo/tomcat/realm/ActiveDirectoryRealmBase.java#L37-L45 Michael, thank a lot for providing me with the source code of the required functionality, I will look in details into it. You are definitely right that the SpnegoAuthenticator/JNDIRealm will not help in the use case I have provided as an example. Surely to make this example working in the expected way it is needed to use custom valve/realm implementations. However the discussion in this PR is not about to make an example working. Example is to illustrate that the SpnegoAuthenticator that is included in the Tomcat implementation leads to contract violation of HttpServletRequest.login(..) method if it is chosen as authenticator. The spec clearly states that HttpServletRequest.login(..) method should either "authenticate the provided user name and password" or throw ServletException "if the configured authenticator does not support user name and password authentication". It does not happen (in the provided case at least). As per logout method: I am not quite sure when it is really needed when using pure SpnegoAuthenticator. Could you, please, provide a use case of using logout. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
