natalia-s-ivanova commented on PR #819:
URL: https://github.com/apache/tomcat/pull/819#issuecomment-2665013625
> There are many ways to configure the JNDI realm and the SPNEGO
authenticator I am unable to recreate the issue you are reporting with the
sub-set of configuration provided. Please provide the complete set of
configuration steps to recreate the issue you are seeing from a clean Tomcat
install.
Please, kindly see my setup:
1. In server.xml Realm is set in the following way:
```
<Realm className="org.apache.catalina.realm.JNDIRealm"
authentication="GSSAPI"
connectionURL="..."
userBase="..."
userSearch="(&(sAMAccountName={0})(objectClass=user))"
userRoleName="memberOf"
roleBase="..."
roleSearch="(&(member={0})(objectclass=group))"
roleName="cn"
/>
```
2. In server.xml Valve is set in the following way:
```
<Context path="/gssapi">
<Valve
className="org.apache.catalina.authenticator.SpnegoAuthenticator"
storeDelegatedCredential="true"
alwaysUseSession="true" cache="true"/>
</Context>
```
3. Create kerberos configuration file - krb5.ini in my case
4. Create jaas.conf login file like:
```
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=false
principal="..."
useKeyTab=true
debug=true
keyTab="..."
storeKey=true
useTicketCache=true
isInitiator=true
refreshKrb5Config=true
moduleBanner=true
storePass=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=false
principal="..."
useKeyTab=true
keyTab="..."
storeKey=true
useKeyTab=true
useTicketCache=true
isInitiator=true
refreshKrb5Config=true
moduleBanner=true
storePass=true
debug=true;
};
```
5. Set properties:
set CATALINA_OPTS=-Djava.security.krb5.conf=<KRB5_CONF_LOCATION>
-Djava.security.auth.login.config=<LOGIN_CONF_LOCATION>
-Djavax.security.auth.useSubjectCredsOnly=false
6. I have also attached a source code of the test app that demonstrate the
issue in the login functionality -
[GssapiTest.zip](https://github.com/user-attachments/files/18841562/GssapiTest.zip).
In my case there are 2 groups in LDAP: ADMIN_GR and VIEWER_GR. Client
accesses the application in Browser being logined in OS under user that belongs
to ADMIN_GR (no VIEWER_GR role).
- he successfully gets to http://<server>/gssapi/gssapi-admin page without
any login information being authenticated by Kerberos
- he can't reach http://<server>/gssapi/gssapi-viewer page under Kerberos
user and gets to login page
- now he is able to reach http://<server>/gssapi/gssapi-viewer if an
appropriate user that belongs to VIEWER_GR is put down on login page. The main
issue here that ANY password for this user can be used, the password is NOT
verified.
Please, tell me if any other information is needed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
