markt-asf commented on PR #819:
URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668831744

   > It is not that easy and I do not agree with that. Here are cases which 
will not work:
   
   As the OP has indicated, they are already using a solution along these lines 
and it works for them.
   
   > * SPNEGO is performed, but access through LDAP uses a service account to 
perform a single or SASL bind. Hence, no delegated credential is used.
   
   This works already. If the delegated credential is presented, it will be 
used.
   
   > * User comes from one realm, but domain controller is in another realm. 
While Kerberos perfectly supports cross-realm authentication, neither a simple 
bind nor a non-GSSAPI SASL bind will work.
   
   Then it doesn't work. Things are no worse than they are now.
   
   > Yet another problem is that you degrade from a strong authentication 
method to a weaker one.
   
   That is the application developers choice to do that. This happens already 
if `authentication="GSSAPI"` is not set. We can add a note to the docs to 
clarify how this is handled.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to