michael-o commented on PR #819: URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668513322
> I think the current support for `logout()` can stay. I don't see a reason to change it. > > I think the issue with `login()` is slightly different. The `JNDIRealm` attempts to switch between SPNEGO/kerberos and username/password based on which `Realm.authenticate(...)` call is made. Generally it makes the right choice but the test case provided with this PR highlights a case where is doesn't. > > If the `JNDIRealm` is hard-coded to use GSSAPI via `authentication="GSSAPI"` then it always uses that even if the additional environment properties for user/password authentication are set. > > I see two ways to fix this. > > 1. If user/password auth is attempted when `authentication="GSSAPI"` is set then always fail the authentication. Note that this approach would prevent this use case. > > 2. If user/password auth is attempted when `authentication="GSSAPI"` then remove the environment properties that configured GSSAPI, perform user/password authentication and then restore the GSSAPI environment properties. We already do the inverse when performing SPNEGO authentication. > > > I'm going to look into the feasibility of option 2. It is not that easy and I do not agree with that. Here are cases which will not work: * SPNEGO is performed, but access through LDAP uses a service account to perform a single or SASL bind. Hence, no delegated credential is used. * User comes from one realm, but domain controller is in another realm. While Kerberos perfectly supports cross-realm authentication, neither a simple bind nor a non-GSSAPI SASL bind will work. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
