https://issues.apache.org/bugzilla/show_bug.cgi?id=46323
--- Comment #5 from Christophe Dupriez <christophe.dupr...@poisoncentre.be> 2010-02-11 13:05:59 UTC --- I cannot check the password because I would then need to make a "bind" from Tomcat. This bind would be originating from the server (and, if I remember well, would be seen as a login to the LDAP server!). As our Network Management completely forbid any user login to the servers, binds are then always failing. I agree with you that Tomcat Distribution must not include potential security holes: thank you for pointing the potential problem my solution brings (I did not realized it). For our situation (closed LAN), it is not a real problem but for others, it may be. For them, I think some way to fully validate the token without "bind" or to make a bind on behalf of the originating computer (you mention NTLMv2 which includes the hostname: may be something to check here). Meanwhile, my Network Management is asking more and more often if NTLM could be disabled in the whole LAN!!! I would be very happy to discuss this with other people looking to solve those issues on the long term. For now, our users are enjoying to access applications without ever having to log in. And when you have physical access to the premises, you can do worse than by forging NTLM tokens. But this is not acceptable for worldwide distribution, I agree. I would happily test solution ideas if there is any... -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
