https://issues.apache.org/bugzilla/show_bug.cgi?id=48685
--- Comment #31 from Mark Thomas <ma...@apache.org> 2011-03-30 07:01:50 EDT --- (In reply to comment #30) > I have attached some sample config files to make it run. This solution > uses a keytab to validate tickets. Thanks. It was the jaas.conf that I hadn't been able to figure out. > I am aware of the Spring way, we use that Sec Extension also but I don't > like that because of the following drawbacks: > > 1. You have ugly inline code which has to be maintained. > 2. You have to provide a module for every JVM implementation (Oracle, IBM, > etc) which the user would have again to configure > 3. You cannot use your custom Krb5 modules which could happen. You have > to alter and recompile tomcat then => ugly > 4. You lose the entire configuration flexiblity of the modules unless you > pass all config params of the modules through the authenticator => even > more code. > > I'd rather stick with the login modules because they are proven to work > well and are documented thoroughly by Oracle. > > I have tried to keep the implementation as simple as possible. Going the > above way would require way more code. My primary aim was getting something to work. As a result of that experience, I wanted to keep the configuration as simple as possible - i.e. use sensible defaults and provide a mechanism for the user to override them. However, I hadn't considered custom login modules or noticed the one currently used is an Oracle internal one. I'm leaning towards restoring using the jaas.conf file as it is the elegant solution to all of those problems and, as you point out, it means less code. My one concern is that it requires users to do slightly more to get SPNEGO to work. I think that can be overcome by good documentation. On that note, what Oracle documentation were you referring to? If there is a good explanation of this stuff I'd like to include a reference to it in the Tomcat docs. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
