Sorry Mark, I've clicked the wrong button in my mail client :(
On 28.06.2021 15:29, Mark Thomas wrote:
Note that Tomcat 7 is no longer supported.
I guess it's nearly the same for all versions of Tomcat.
That looks more like some form of configuration issue but I always found the Kerberos error message rather hard to decipher.
AFAIK, the Kerberos is working fine. This error occurs in JNDIRealm's getPrincipal method. One log line before, Kerberos reports
Found ticket for HTTP/apps.atlas-03t.gvsn.local@GVSN.LOCAL to go to krbtgt/GVSN.LOCAL@GVSN.LOCAL expiring on Thu Jun 24 18:26:05 CEST 2021
So, there is a ticket. However, JNDIRealm cannot use it or the ticket does not allow binding to the directory with that user. I'm not understanding the whole process, so I was asking if someone has more glue on that.
2. Fallback Authenticator
It has been mentioned before. There is this on the Wiki: https://cwiki.apache.org/confluence/display/TOMCAT/SSLWithFORMFallback
Will have a look at that. It's basically what I was thinking about adding a fallback to SpnegoAuthenticator only.
As with most enhancements, whether it is accepted is going to depend largely on the benefit it brings vs how complex / invasive the code is.
Rémy mentioned he was looking for a development project. Maybe this could be it.
I guess, Rémy was taking my user attributes Realm extension as development project...
You might be able to authenticate external users in a reverse proxy and have it pass the user ID to Tomcat rather than have Tomcat do the authentication.
I read about that somewhere some months ago. However, I don't know how to get the authentication from the reverse proxy (my Tomcat already runs behind an Apache HTTPD using mod_proxy_ajp) to Tomcat?
Finally, Tomcat needs the Principal and a couple of roles for authorization (including my additional user attributes). Passing the user ID only is likely not sufficient. Could you please describe that in more detail or point me to some sites to learn more about that?
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org