https://issues.apache.org/bugzilla/show_bug.cgi?id=48685
--- Comment #40 from Michael Osipov <1983-01...@gmx.net> 2011-04-01 07:10:15 EDT --- Mark, there are some glitches which have to be addressed in my opinion: Constants.java: - DEFAULT_SPN_CLASS is never used, forgot to delete? - DEFAULT_KRB5_CONF value: .ini is Windows style, on Unix is krb5.conf only. I would stick to that convention. I.e., split in two props. - DEFAULT_LOGIN_MODULE_NAME value: this is Oracle-specific, I would rather use a vendor-agnostic name like 'tomcat-accept'. (Same rule as in tomcat.keytab) SpnegoAuthenticator.java: - 'storeDelegatedCredentials' rename to 'storeDelegatedCredential' since GSSContext uses singular and the realm does the same, applies to may JavaDocs too - It might be worth checking of '/etc/krb5.conf' or 'C:\Windows\krb5.ini' because those are default locations on those OSs and this is what the JVM does if you did not overwrite the property. See http://download.oracle.com/javase/1.4.2/docs/guide/security/jgss/tutorials/KerberosReq.html => Locating the krb5.conf Configuration File RealmBase.java: - 'stripAtForGss' rename to 'stripRealm'. I think this one reads better. - There is no option to sign in with Kerberos into a directory server. Only delegated credential works. This might be problematic if some user account is not trusted for cred deleg. I don't like to fall back to plain password. Did I miss that spot in the code? - Property 'javax.security.sasl.server.authentication' should be configurable. It applies at least to GSSAPI. - Property 'javax.security.sasl.qop' should be configurable. It applies at least to GSSAPI *and* DIGEST-MD5. See here for more ref: http://download.oracle.com/javase/jndi/tutorial/ldap/security/sasl.html I did not yet try the code, I just made a review. I will check docs separately. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
