We maintain a custom RealmBase#authenticate(GSSContext, boolean) implementation because the given one as a few shortcomings I'd like to address this in a PR: * Move stripping right before #getPrincipal() to log a fully qualified GSS name * Issue a warning instead of a debug if #getDelegCred() has failed. Justification: the context indicates that there is a credential and the developer has configured to store them, but this failed. A debug will be unnoticed in a production system. The admin should see this and take action. * If storeCreds is requested, but the credentials arent't log this in debug for traceability. Custom impl: http://tomcatspnegoad.sourceforge.net/xref/net/sf/michaelo/tomcat/realm/ActiveDirectoryRealm.html#L229
Fixed in: - master for 9.0.23 onwards - 8.5.x for 8.5.44 onwards - 7.0.x for 7.0.97 onwards