Re: How to configure SPNEGO authentication with fallback to FORM auth?

2016-07-04 Thread Andrei Ivanov 
Hi Ken,
Would you mind posting the patch? :-)

On Thu, Jun 30, 2016 at 3:52 PM, ken edward  wrote:
> I did get it to work. Simply merged existing spnego and form auth valves
> together, I will try to post later..
>
> On Fri, Jun 24, 2016 at 6:21 PM, Terence M. Bandoian 
> wrote:
>
>> On 6/24/2016 10:45 AM, ken edward wrote:
>>
>>> On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomas  wrote:
>>>
>>> On 24/06/2016 16:17, ken edward wrote:

> On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas  wrote:
>
> On 24 June 2016 14:22:32 BST, ken edward  wrote:
>>
>>> Hello,
>>>
>>> I have tomcat 8 on linux, configured with kerberos/SPNEGO
>>> authentication.
>>> All works well, but if the client cannot use kerberos to authenticate,
>>> it
>>> will not fallback to FORM authentication.
>>>
>>> I see some references that tomcat 8 does not do fallback negotiation
>>> for
>>> FORM auth. True?
>>>
>> Yes
>>
>> Any workarounds?
>>>
>> Nothing simple. Both SPNEGO and FORM have their complications. You'll
>>
> need

> to code some form of custom solution.
>>
>> Have a look in the archives. This has come up before and I think there
>>
> is

> some sample code that might get you most of the way there.
>>
>>
>>
>> I had already searched the mail archives, and did not see any sample
>
 code.

> If anyone has any insight, please do post some code fragments.
>
 I was thinking of this:
 http://wiki.apache.org/tomcat/SSLWithFORMFallback

 Not quite what you are looking for but it might help.


 I guess I need to extend the SPNEGO valve code in tomcat 8 to handle
>>> fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a
>>> simple
>>> and essential use case. Perplexing that it is not implemented.
>>>
>>>
>>
>> If you get it working, you might consider submitting a patch.  Doing so
>> might save someone else from cursing under their breath.
>>
>> -Terence Bandoian
>> http://www.tmbsw.com/
>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure SPNEGO authentication with fallback to FORM auth?

2016-07-01 Thread Terence M. Bandoian 

On 6/30/2016 7:52 AM, ken edward wrote:

I did get it to work. Simply merged existing spnego and form auth valves
together, I will try to post later..

On Fri, Jun 24, 2016 at 6:21 PM, Terence M. Bandoian 
wrote:


On 6/24/2016 10:45 AM, ken edward wrote:


On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomas  wrote:

On 24/06/2016 16:17, ken edward wrote:

On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas  wrote:

On 24 June 2016 14:22:32 BST, ken edward  wrote:

Hello,

I have tomcat 8 on linux, configured with kerberos/SPNEGO
authentication.
All works well, but if the client cannot use kerberos to authenticate,
it
will not fallback to FORM authentication.

I see some references that tomcat 8 does not do fallback negotiation
for
FORM auth. True?


Yes

Any workarounds?
Nothing simple. Both SPNEGO and FORM have their complications. You'll


need
to code some form of custom solution.

Have a look in the archives. This has come up before and I think there


is
some sample code that might get you most of the way there.



I had already searched the mail archives, and did not see any sample

code.


If anyone has any insight, please do post some code fragments.


I was thinking of this:
http://wiki.apache.org/tomcat/SSLWithFORMFallback

Not quite what you are looking for but it might help.


I guess I need to extend the SPNEGO valve code in tomcat 8 to handle

fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a
simple
and essential use case. Perplexing that it is not implemented.



If you get it working, you might consider submitting a patch.  Doing so
might save someone else from cursing under their breath.

-Terence Bandoian
http://www.tmbsw.com/



Sounds great!

-Terence


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure SPNEGO authentication with fallback to FORM auth?

2016-06-30 Thread ken edward 
I did get it to work. Simply merged existing spnego and form auth valves
together, I will try to post later..

On Fri, Jun 24, 2016 at 6:21 PM, Terence M. Bandoian 
wrote:

> On 6/24/2016 10:45 AM, ken edward wrote:
>
>> On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomas  wrote:
>>
>> On 24/06/2016 16:17, ken edward wrote:
>>>
 On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas  wrote:

 On 24 June 2016 14:22:32 BST, ken edward  wrote:
>
>> Hello,
>>
>> I have tomcat 8 on linux, configured with kerberos/SPNEGO
>> authentication.
>> All works well, but if the client cannot use kerberos to authenticate,
>> it
>> will not fallback to FORM authentication.
>>
>> I see some references that tomcat 8 does not do fallback negotiation
>> for
>> FORM auth. True?
>>
> Yes
>
> Any workarounds?
>>
> Nothing simple. Both SPNEGO and FORM have their complications. You'll
>
 need
>>>
 to code some form of custom solution.
>
> Have a look in the archives. This has come up before and I think there
>
 is
>>>
 some sample code that might get you most of the way there.
>
>
>
> I had already searched the mail archives, and did not see any sample

>>> code.
>>>
 If anyone has any insight, please do post some code fragments.

>>> I was thinking of this:
>>> http://wiki.apache.org/tomcat/SSLWithFORMFallback
>>>
>>> Not quite what you are looking for but it might help.
>>>
>>>
>>> I guess I need to extend the SPNEGO valve code in tomcat 8 to handle
>> fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a
>> simple
>> and essential use case. Perplexing that it is not implemented.
>>
>>
>
> If you get it working, you might consider submitting a patch.  Doing so
> might save someone else from cursing under their breath.
>
> -Terence Bandoian
> http://www.tmbsw.com/
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: How to configure SPNEGO authentication with fallback to FORM auth?

2016-06-27 Thread Andrei Ivanov 
Hi André,
In my case, our form has a connection to the AD and a backup, where it
performs the authentication.


I would also be interested to get this sort of setup working to get
seamless authentication with a fallback to form.

On Sun, Jun 26, 2016 at 1:05 PM, André Warnier (tomcat)  wrote:
> On 24.06.2016 17:45, ken edward wrote:
>>
>> On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomas  wrote:
>>
>>> On 24/06/2016 16:17, ken edward wrote:

 On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas  wrote:

> On 24 June 2016 14:22:32 BST, ken edward  wrote:
>>
>> Hello,
>>
>> I have tomcat 8 on linux, configured with kerberos/SPNEGO
>> authentication.
>> All works well, but if the client cannot use kerberos to authenticate,
>> it
>> will not fallback to FORM authentication.
>>
>> I see some references that tomcat 8 does not do fallback negotiation
>> for
>> FORM auth. True?
>
>
> Yes
>
>> Any workarounds?
>
>
> Nothing simple. Both SPNEGO and FORM have their complications. You'll
>>>
>>> need
>
> to code some form of custom solution.
>
> Have a look in the archives. This has come up before and I think there
>>>
>>> is
>
> some sample code that might get you most of the way there.
>
>
>
 I had already searched the mail archives, and did not see any sample
>>>
>>> code.

 If anyone has any insight, please do post some code fragments.
>>>
>>>
>>> I was thinking of this:
>>> http://wiki.apache.org/tomcat/SSLWithFORMFallback
>>>
>>> Not quite what you are looking for but it might help.
>>>
>>>
>> I guess I need to extend the SPNEGO valve code in tomcat 8 to handle
>> fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a
>> simple
>> and essential use case. Perplexing that it is not implemented.
>>
>
> To me, the question here is more : if SPNEGO fails, and you fall back to
> form-based authentication, what are you going to authenticate *against*,
> once the user fills the form ?
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure SPNEGO authentication with fallback to FORM auth?

2016-06-26 Thread tomcat 

On 24.06.2016 17:45, ken edward wrote:

On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomas  wrote:


On 24/06/2016 16:17, ken edward wrote:

On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas  wrote:


On 24 June 2016 14:22:32 BST, ken edward  wrote:

Hello,

I have tomcat 8 on linux, configured with kerberos/SPNEGO
authentication.
All works well, but if the client cannot use kerberos to authenticate,
it
will not fallback to FORM authentication.

I see some references that tomcat 8 does not do fallback negotiation
for
FORM auth. True?


Yes


Any workarounds?


Nothing simple. Both SPNEGO and FORM have their complications. You'll

need

to code some form of custom solution.

Have a look in the archives. This has come up before and I think there

is

some sample code that might get you most of the way there.




I had already searched the mail archives, and did not see any sample

code.

If anyone has any insight, please do post some code fragments.


I was thinking of this:
http://wiki.apache.org/tomcat/SSLWithFORMFallback

Not quite what you are looking for but it might help.



I guess I need to extend the SPNEGO valve code in tomcat 8 to handle
fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a simple
and essential use case. Perplexing that it is not implemented.



To me, the question here is more : if SPNEGO fails, and you fall back to form-based 
authentication, what are you going to authenticate *against*, once the user fills the form ?




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure SPNEGO authentication with fallback to FORM auth?

2016-06-24 Thread Terence M. Bandoian 

On 6/24/2016 10:45 AM, ken edward wrote:

On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomas  wrote:


On 24/06/2016 16:17, ken edward wrote:

On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas  wrote:


On 24 June 2016 14:22:32 BST, ken edward  wrote:

Hello,

I have tomcat 8 on linux, configured with kerberos/SPNEGO
authentication.
All works well, but if the client cannot use kerberos to authenticate,
it
will not fallback to FORM authentication.

I see some references that tomcat 8 does not do fallback negotiation
for
FORM auth. True?

Yes


Any workarounds?

Nothing simple. Both SPNEGO and FORM have their complications. You'll

need

to code some form of custom solution.

Have a look in the archives. This has come up before and I think there

is

some sample code that might get you most of the way there.




I had already searched the mail archives, and did not see any sample

code.

If anyone has any insight, please do post some code fragments.

I was thinking of this:
http://wiki.apache.org/tomcat/SSLWithFORMFallback

Not quite what you are looking for but it might help.



I guess I need to extend the SPNEGO valve code in tomcat 8 to handle
fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a simple
and essential use case. Perplexing that it is not implemented.




If you get it working, you might consider submitting a patch.  Doing so 
might save someone else from cursing under their breath.


-Terence Bandoian
http://www.tmbsw.com/


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure SPNEGO authentication with fallback to FORM auth?

2016-06-24 Thread ken edward 
On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomas  wrote:

> On 24/06/2016 16:17, ken edward wrote:
> > On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas  wrote:
> >
> >> On 24 June 2016 14:22:32 BST, ken edward  wrote:
> >>> Hello,
> >>>
> >>> I have tomcat 8 on linux, configured with kerberos/SPNEGO
> >>> authentication.
> >>> All works well, but if the client cannot use kerberos to authenticate,
> >>> it
> >>> will not fallback to FORM authentication.
> >>>
> >>> I see some references that tomcat 8 does not do fallback negotiation
> >>> for
> >>> FORM auth. True?
> >>
> >> Yes
> >>
> >>> Any workarounds?
> >>
> >> Nothing simple. Both SPNEGO and FORM have their complications. You'll
> need
> >> to code some form of custom solution.
> >>
> >> Have a look in the archives. This has come up before and I think there
> is
> >> some sample code that might get you most of the way there.
> >>
> >>
> >>
> > I had already searched the mail archives, and did not see any sample
> code.
> > If anyone has any insight, please do post some code fragments.
>
> I was thinking of this:
> http://wiki.apache.org/tomcat/SSLWithFORMFallback
>
> Not quite what you are looking for but it might help.
>
>
I guess I need to extend the SPNEGO valve code in tomcat 8 to handle
fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a simple
and essential use case. Perplexing that it is not implemented.

Re: How to configure SPNEGO authentication with fallback to FORM auth?

2016-06-24 Thread Mark Thomas 
On 24/06/2016 16:17, ken edward wrote:
> On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas  wrote:
> 
>> On 24 June 2016 14:22:32 BST, ken edward  wrote:
>>> Hello,
>>>
>>> I have tomcat 8 on linux, configured with kerberos/SPNEGO
>>> authentication.
>>> All works well, but if the client cannot use kerberos to authenticate,
>>> it
>>> will not fallback to FORM authentication.
>>>
>>> I see some references that tomcat 8 does not do fallback negotiation
>>> for
>>> FORM auth. True?
>>
>> Yes
>>
>>> Any workarounds?
>>
>> Nothing simple. Both SPNEGO and FORM have their complications. You'll need
>> to code some form of custom solution.
>>
>> Have a look in the archives. This has come up before and I think there is
>> some sample code that might get you most of the way there.
>>
>>
>>
> I had already searched the mail archives, and did not see any sample code.
> If anyone has any insight, please do post some code fragments.

I was thinking of this:
http://wiki.apache.org/tomcat/SSLWithFORMFallback

Not quite what you are looking for but it might help.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure SPNEGO authentication with fallback to FORM auth?

2016-06-24 Thread ken edward 
On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas  wrote:

> On 24 June 2016 14:22:32 BST, ken edward  wrote:
> >Hello,
> >
> >I have tomcat 8 on linux, configured with kerberos/SPNEGO
> >authentication.
> >All works well, but if the client cannot use kerberos to authenticate,
> >it
> >will not fallback to FORM authentication.
> >
> >I see some references that tomcat 8 does not do fallback negotiation
> >for
> >FORM auth. True?
>
> Yes
>
> > Any workarounds?
>
> Nothing simple. Both SPNEGO and FORM have their complications. You'll need
> to code some form of custom solution.
>
> Have a look in the archives. This has come up before and I think there is
> some sample code that might get you most of the way there.
>
>
>
I had already searched the mail archives, and did not see any sample code.
If anyone has any insight, please do post some code fragments.

Ed

Re: How to configure SPNEGO authentication with fallback to FORM auth?

2016-06-24 Thread Mark Thomas 
On 24 June 2016 14:22:32 BST, ken edward  wrote:
>Hello,
>
>I have tomcat 8 on linux, configured with kerberos/SPNEGO
>authentication.
>All works well, but if the client cannot use kerberos to authenticate,
>it
>will not fallback to FORM authentication.
>
>I see some references that tomcat 8 does not do fallback negotiation
>for
>FORM auth. True?

Yes

> Any workarounds?

Nothing simple. Both SPNEGO and FORM have their complications. You'll need to 
code some form of custom solution.

Have a look in the archives. This has come up before and I think there is some 
sample code that might get you most of the way there.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to configure SPNEGO authentication with fallback to FORM auth?

2016-06-24 Thread ken edward 
Hello,

I have tomcat 8 on linux, configured with kerberos/SPNEGO authentication.
All works well, but if the client cannot use kerberos to authenticate, it
will not fallback to FORM authentication.

I see some references that tomcat 8 does not do fallback negotiation for
FORM auth. True? Any workarounds? I saw waffle 1.8, but that only works on
windows (I am on linux), Setting Auth-method to SPNEGO, FORM doesn't work.

Thanks,
Ed