On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomas <ma...@apache.org> wrote:
> On 24/06/2016 16:17, ken edward wrote: > > On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas <ma...@apache.org> wrote: > > > >> On 24 June 2016 14:22:32 BST, ken edward <kedward...@gmail.com> wrote: > >>> Hello, > >>> > >>> I have tomcat 8 on linux, configured with kerberos/SPNEGO > >>> authentication. > >>> All works well, but if the client cannot use kerberos to authenticate, > >>> it > >>> will not fallback to FORM authentication. > >>> > >>> I see some references that tomcat 8 does not do fallback negotiation > >>> for > >>> FORM auth. True? > >> > >> Yes > >> > >>> Any workarounds? > >> > >> Nothing simple. Both SPNEGO and FORM have their complications. You'll > need > >> to code some form of custom solution. > >> > >> Have a look in the archives. This has come up before and I think there > is > >> some sample code that might get you most of the way there. > >> > >> > >> > > I had already searched the mail archives, and did not see any sample > code. > > If anyone has any insight, please do post some code fragments. > > I was thinking of this: > http://wiki.apache.org/tomcat/SSLWithFORMFallback > > Not quite what you are looking for but it might help. > > I guess I need to extend the SPNEGO valve code in tomcat 8 to handle fallback to FORM auth, similar to SSLWIthFORMFallback. aaarg. Such a simple and essential use case. Perplexing that it is not implemented.