Re: How to configure SPNEGO authentication with fallback to FORM auth?
Hi Ken, Would you mind posting the patch? :-) On Thu, Jun 30, 2016 at 3:52 PM, ken edwardwrote: > I did get it to work. Simply merged existing spnego and form auth valves > together, I will try to post later.. > > On Fri, Jun 24, 2016 at 6:21 PM, Terence M. Bandoian > wrote: > >> On 6/24/2016 10:45 AM, ken edward wrote: >> >>> On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomas wrote: >>> >>> On 24/06/2016 16:17, ken edward wrote: > On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas wrote: > > On 24 June 2016 14:22:32 BST, ken edward wrote: >> >>> Hello, >>> >>> I have tomcat 8 on linux, configured with kerberos/SPNEGO >>> authentication. >>> All works well, but if the client cannot use kerberos to authenticate, >>> it >>> will not fallback to FORM authentication. >>> >>> I see some references that tomcat 8 does not do fallback negotiation >>> for >>> FORM auth. True? >>> >> Yes >> >> Any workarounds? >>> >> Nothing simple. Both SPNEGO and FORM have their complications. You'll >> > need > to code some form of custom solution. >> >> Have a look in the archives. This has come up before and I think there >> > is > some sample code that might get you most of the way there. >> >> >> >> I had already searched the mail archives, and did not see any sample > code. > If anyone has any insight, please do post some code fragments. > I was thinking of this: http://wiki.apache.org/tomcat/SSLWithFORMFallback Not quite what you are looking for but it might help. I guess I need to extend the SPNEGO valve code in tomcat 8 to handle >>> fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a >>> simple >>> and essential use case. Perplexing that it is not implemented. >>> >>> >> >> If you get it working, you might consider submitting a patch. Doing so >> might save someone else from cursing under their breath. >> >> -Terence Bandoian >> http://www.tmbsw.com/ >> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to configure SPNEGO authentication with fallback to FORM auth?
On 6/30/2016 7:52 AM, ken edward wrote: I did get it to work. Simply merged existing spnego and form auth valves together, I will try to post later.. On Fri, Jun 24, 2016 at 6:21 PM, Terence M. Bandoianwrote: On 6/24/2016 10:45 AM, ken edward wrote: On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomas wrote: On 24/06/2016 16:17, ken edward wrote: On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas wrote: On 24 June 2016 14:22:32 BST, ken edward wrote: Hello, I have tomcat 8 on linux, configured with kerberos/SPNEGO authentication. All works well, but if the client cannot use kerberos to authenticate, it will not fallback to FORM authentication. I see some references that tomcat 8 does not do fallback negotiation for FORM auth. True? Yes Any workarounds? Nothing simple. Both SPNEGO and FORM have their complications. You'll need to code some form of custom solution. Have a look in the archives. This has come up before and I think there is some sample code that might get you most of the way there. I had already searched the mail archives, and did not see any sample code. If anyone has any insight, please do post some code fragments. I was thinking of this: http://wiki.apache.org/tomcat/SSLWithFORMFallback Not quite what you are looking for but it might help. I guess I need to extend the SPNEGO valve code in tomcat 8 to handle fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a simple and essential use case. Perplexing that it is not implemented. If you get it working, you might consider submitting a patch. Doing so might save someone else from cursing under their breath. -Terence Bandoian http://www.tmbsw.com/ Sounds great! -Terence - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to configure SPNEGO authentication with fallback to FORM auth?
I did get it to work. Simply merged existing spnego and form auth valves together, I will try to post later.. On Fri, Jun 24, 2016 at 6:21 PM, Terence M. Bandoianwrote: > On 6/24/2016 10:45 AM, ken edward wrote: > >> On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomas wrote: >> >> On 24/06/2016 16:17, ken edward wrote: >>> On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas wrote: On 24 June 2016 14:22:32 BST, ken edward wrote: > >> Hello, >> >> I have tomcat 8 on linux, configured with kerberos/SPNEGO >> authentication. >> All works well, but if the client cannot use kerberos to authenticate, >> it >> will not fallback to FORM authentication. >> >> I see some references that tomcat 8 does not do fallback negotiation >> for >> FORM auth. True? >> > Yes > > Any workarounds? >> > Nothing simple. Both SPNEGO and FORM have their complications. You'll > need >>> to code some form of custom solution. > > Have a look in the archives. This has come up before and I think there > is >>> some sample code that might get you most of the way there. > > > > I had already searched the mail archives, and did not see any sample >>> code. >>> If anyone has any insight, please do post some code fragments. >>> I was thinking of this: >>> http://wiki.apache.org/tomcat/SSLWithFORMFallback >>> >>> Not quite what you are looking for but it might help. >>> >>> >>> I guess I need to extend the SPNEGO valve code in tomcat 8 to handle >> fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a >> simple >> and essential use case. Perplexing that it is not implemented. >> >> > > If you get it working, you might consider submitting a patch. Doing so > might save someone else from cursing under their breath. > > -Terence Bandoian > http://www.tmbsw.com/ > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: How to configure SPNEGO authentication with fallback to FORM auth?
Hi André, In my case, our form has a connection to the AD and a backup, where it performs the authentication. I would also be interested to get this sort of setup working to get seamless authentication with a fallback to form. On Sun, Jun 26, 2016 at 1:05 PM, André Warnier (tomcat)wrote: > On 24.06.2016 17:45, ken edward wrote: >> >> On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomas wrote: >> >>> On 24/06/2016 16:17, ken edward wrote: On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas wrote: > On 24 June 2016 14:22:32 BST, ken edward wrote: >> >> Hello, >> >> I have tomcat 8 on linux, configured with kerberos/SPNEGO >> authentication. >> All works well, but if the client cannot use kerberos to authenticate, >> it >> will not fallback to FORM authentication. >> >> I see some references that tomcat 8 does not do fallback negotiation >> for >> FORM auth. True? > > > Yes > >> Any workarounds? > > > Nothing simple. Both SPNEGO and FORM have their complications. You'll >>> >>> need > > to code some form of custom solution. > > Have a look in the archives. This has come up before and I think there >>> >>> is > > some sample code that might get you most of the way there. > > > I had already searched the mail archives, and did not see any sample >>> >>> code. If anyone has any insight, please do post some code fragments. >>> >>> >>> I was thinking of this: >>> http://wiki.apache.org/tomcat/SSLWithFORMFallback >>> >>> Not quite what you are looking for but it might help. >>> >>> >> I guess I need to extend the SPNEGO valve code in tomcat 8 to handle >> fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a >> simple >> and essential use case. Perplexing that it is not implemented. >> > > To me, the question here is more : if SPNEGO fails, and you fall back to > form-based authentication, what are you going to authenticate *against*, > once the user fills the form ? > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to configure SPNEGO authentication with fallback to FORM auth?
On 24.06.2016 17:45, ken edward wrote: On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomaswrote: On 24/06/2016 16:17, ken edward wrote: On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas wrote: On 24 June 2016 14:22:32 BST, ken edward wrote: Hello, I have tomcat 8 on linux, configured with kerberos/SPNEGO authentication. All works well, but if the client cannot use kerberos to authenticate, it will not fallback to FORM authentication. I see some references that tomcat 8 does not do fallback negotiation for FORM auth. True? Yes Any workarounds? Nothing simple. Both SPNEGO and FORM have their complications. You'll need to code some form of custom solution. Have a look in the archives. This has come up before and I think there is some sample code that might get you most of the way there. I had already searched the mail archives, and did not see any sample code. If anyone has any insight, please do post some code fragments. I was thinking of this: http://wiki.apache.org/tomcat/SSLWithFORMFallback Not quite what you are looking for but it might help. I guess I need to extend the SPNEGO valve code in tomcat 8 to handle fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a simple and essential use case. Perplexing that it is not implemented. To me, the question here is more : if SPNEGO fails, and you fall back to form-based authentication, what are you going to authenticate *against*, once the user fills the form ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to configure SPNEGO authentication with fallback to FORM auth?
On 6/24/2016 10:45 AM, ken edward wrote: On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomaswrote: On 24/06/2016 16:17, ken edward wrote: On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas wrote: On 24 June 2016 14:22:32 BST, ken edward wrote: Hello, I have tomcat 8 on linux, configured with kerberos/SPNEGO authentication. All works well, but if the client cannot use kerberos to authenticate, it will not fallback to FORM authentication. I see some references that tomcat 8 does not do fallback negotiation for FORM auth. True? Yes Any workarounds? Nothing simple. Both SPNEGO and FORM have their complications. You'll need to code some form of custom solution. Have a look in the archives. This has come up before and I think there is some sample code that might get you most of the way there. I had already searched the mail archives, and did not see any sample code. If anyone has any insight, please do post some code fragments. I was thinking of this: http://wiki.apache.org/tomcat/SSLWithFORMFallback Not quite what you are looking for but it might help. I guess I need to extend the SPNEGO valve code in tomcat 8 to handle fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a simple and essential use case. Perplexing that it is not implemented. If you get it working, you might consider submitting a patch. Doing so might save someone else from cursing under their breath. -Terence Bandoian http://www.tmbsw.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to configure SPNEGO authentication with fallback to FORM auth?
On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomaswrote: > On 24/06/2016 16:17, ken edward wrote: > > On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas wrote: > > > >> On 24 June 2016 14:22:32 BST, ken edward wrote: > >>> Hello, > >>> > >>> I have tomcat 8 on linux, configured with kerberos/SPNEGO > >>> authentication. > >>> All works well, but if the client cannot use kerberos to authenticate, > >>> it > >>> will not fallback to FORM authentication. > >>> > >>> I see some references that tomcat 8 does not do fallback negotiation > >>> for > >>> FORM auth. True? > >> > >> Yes > >> > >>> Any workarounds? > >> > >> Nothing simple. Both SPNEGO and FORM have their complications. You'll > need > >> to code some form of custom solution. > >> > >> Have a look in the archives. This has come up before and I think there > is > >> some sample code that might get you most of the way there. > >> > >> > >> > > I had already searched the mail archives, and did not see any sample > code. > > If anyone has any insight, please do post some code fragments. > > I was thinking of this: > http://wiki.apache.org/tomcat/SSLWithFORMFallback > > Not quite what you are looking for but it might help. > > I guess I need to extend the SPNEGO valve code in tomcat 8 to handle fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a simple and essential use case. Perplexing that it is not implemented.
Re: How to configure SPNEGO authentication with fallback to FORM auth?
On 24/06/2016 16:17, ken edward wrote: > On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomaswrote: > >> On 24 June 2016 14:22:32 BST, ken edward wrote: >>> Hello, >>> >>> I have tomcat 8 on linux, configured with kerberos/SPNEGO >>> authentication. >>> All works well, but if the client cannot use kerberos to authenticate, >>> it >>> will not fallback to FORM authentication. >>> >>> I see some references that tomcat 8 does not do fallback negotiation >>> for >>> FORM auth. True? >> >> Yes >> >>> Any workarounds? >> >> Nothing simple. Both SPNEGO and FORM have their complications. You'll need >> to code some form of custom solution. >> >> Have a look in the archives. This has come up before and I think there is >> some sample code that might get you most of the way there. >> >> >> > I had already searched the mail archives, and did not see any sample code. > If anyone has any insight, please do post some code fragments. I was thinking of this: http://wiki.apache.org/tomcat/SSLWithFORMFallback Not quite what you are looking for but it might help. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to configure SPNEGO authentication with fallback to FORM auth?
On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomaswrote: > On 24 June 2016 14:22:32 BST, ken edward wrote: > >Hello, > > > >I have tomcat 8 on linux, configured with kerberos/SPNEGO > >authentication. > >All works well, but if the client cannot use kerberos to authenticate, > >it > >will not fallback to FORM authentication. > > > >I see some references that tomcat 8 does not do fallback negotiation > >for > >FORM auth. True? > > Yes > > > Any workarounds? > > Nothing simple. Both SPNEGO and FORM have their complications. You'll need > to code some form of custom solution. > > Have a look in the archives. This has come up before and I think there is > some sample code that might get you most of the way there. > > > I had already searched the mail archives, and did not see any sample code. If anyone has any insight, please do post some code fragments. Ed
Re: How to configure SPNEGO authentication with fallback to FORM auth?
On 24 June 2016 14:22:32 BST, ken edwardwrote: >Hello, > >I have tomcat 8 on linux, configured with kerberos/SPNEGO >authentication. >All works well, but if the client cannot use kerberos to authenticate, >it >will not fallback to FORM authentication. > >I see some references that tomcat 8 does not do fallback negotiation >for >FORM auth. True? Yes > Any workarounds? Nothing simple. Both SPNEGO and FORM have their complications. You'll need to code some form of custom solution. Have a look in the archives. This has come up before and I think there is some sample code that might get you most of the way there. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to configure SPNEGO authentication with fallback to FORM auth?
Hello, I have tomcat 8 on linux, configured with kerberos/SPNEGO authentication. All works well, but if the client cannot use kerberos to authenticate, it will not fallback to FORM authentication. I see some references that tomcat 8 does not do fallback negotiation for FORM auth. True? Any workarounds? I saw waffle 1.8, but that only works on windows (I am on linux), Setting Auth-method to SPNEGO, FORM doesn't work. Thanks, Ed