markt-asf commented on PR #819:
URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668483655

   I think the current support for `logout()` can stay. I don't see a reason to 
change it.
   
   I think the issue with `login()` is slightly different. The `JNDIRealm` 
attempts to switch between SPNEGO/kerberos and username/password based on which 
`Realm.authenticate(...)` call is made. Generally it makes the right choice but 
the test case provided with this PR highlights a case where is doesn't.
   
   If the `JNDIRealm` is hard-coded to use GSSAPI via `authentication="GSSAPI"` 
then it always uses that even if the additional environment properties for 
user/password authentication are set.
   
   I see two ways to fix this.
   
   1. If user/password auth is attempted when `authentication="GSSAPI"` is set 
then always fail the authentication. Note that this approach would prevent this 
use case.
   
   2. If user/password auth is attempted when `authentication="GSSAPI"` then 
remove the environment properties that configured GSSAPI, perform user/password 
authentication and then restore the GSSAPI environment properties. We already 
do the inverse when performing SPNEGO authentication.
   
   I'm going to look into the feasibility of option 2.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to