In case of Kerberos authentication of user with tomcat webapp via browser, we are facing issue with following class in tomcat version 7.0.96: https://github.com/apache/tomcat/blob/7.0.x/java/org/apache/catalina/connector/Request.java
public Principal getUserPrincipal() => return ((GenericPrincipal) userPrincipal).getUserPrincipal(); #LINE-2650 This returns javax.security.auth.kerberos.KerberosPrincipal instance using which it is not possible to get the actual delegated credential. Shouldn't it simply return GenericPrincipal instance which contains KerberosPrincipal as well as delegated GSSCredential ? We are using following realm config in server.xml: <Realm allRolesMode="authOnly" appName="Tomcat" className="org.apache.catalina.realm.JAASRealm" roleClassNames="org.apache.catalina.realm.GenericPrincipal" stripRealmForGss="false" useContextClassLoader="false" userClassNames="org.apache.catalina.realm.GenericPrincipal, javax.security.auth.kerberos.KerberosPrincipal"/> Thanks, Vipul