natalia-s-ivanova commented on PR #819:
URL: https://github.com/apache/tomcat/pull/819#issuecomment-2665172175

   > @natalia-s-ivanova I do now understand your problem and it not related to 
the `SpnegoAuthenticator` at all. It is design flaw in the realm system which 
assumes that the realm verifies credentials, but this does not apply to client 
certificates and any GSS based mechanism. The JNDIRealm will not help you here. 
You need a realm which is aware of that fact: 
https://github.com/michael-o/tomcatspnegoad/blob/e2d95c6708b7ae726acf882ba680534fa5ec8dcc/tomcat90/src/main/java/net/sf/michaelo/tomcat/realm/ActiveDirectoryRealmBase.java#L37-L45
   
   Michael, thank a lot for providing me with the source code of the required 
functionality, I will look in details into it.
   You are definitely right that the SpnegoAuthenticator/JNDIRealm will not 
help in the use case I have provided as an example. Surely to make this example 
working in the expected way it is needed to use custom valve/realm 
implementations.
   
   However the discussion in this PR is not about to make an example working. 
Example is to illustrate that the SpnegoAuthenticator that is included in the 
Tomcat implementation leads to contract violation of 
HttpServletRequest.login(..) method if it is chosen as authenticator. The spec 
clearly states that HttpServletRequest.login(..) method should either 
"authenticate the provided user name and password" or throw ServletException 
"if the configured authenticator does not support user name and password 
authentication".
   It does not happen (in the provided case at least).
   
   As per logout method: I am not quite sure when it is really needed when 
using pure SpnegoAuthenticator. Could you, please, provide a use case of using 
logout.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to