Bug 63681 - Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends
Summary: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.x-trunk
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-21 20:17 UTC by Michael Osipov
Modified: 2019-12-02 11:55 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Osipov 2019-08-21 20:17:22 UTC
There are several situations where #authentiate(GSSContext, boolean) does not cover all needs:

* You have a developer authenticator which obtains the GSSName of the currently logged in principal, e.g., http://tomcatspnegoad.sourceforge.net/xref/net/sf/michaelo/tomcat/authenticator/CurrentWindowsIdentityAuthenticator.html#CurrentWindowsIdentityAuthenticator
* You perform protocol transition and have deduced the user's GSS name, e.g., MS-SFU
* You perform TLS cert auth and extract from SAN msUPN or the emailAdress fields
* You completely lose the GSS name OID and cannot distinguish what type of name that was, i.e., Kerberos principal, Kerberos enterprise princial, MS user principal name, or an email address
* The authenticator has established and verified the security context for you and passing required information only
* You perform authentication by a reserve proxy and pass that information with request headers, e.g., https://github.com/modauthgssapi/mod_auth_gssapi

Along with this, we require to have #getPrincipal(GSSName) and #getPrincipal(GSSName, GSSCredential). The former would simply call the latter with a second argument null value.

#getPrincipal(String, GSSCredential) would be deprecated because it loses information.

#isStripRealmForGss() would be called as late as possible in #getPrincipal(GSSName, GSSCredential), leaving #authenticate() alone.

I will work this out in a separate branch.
Comment 1 Michael Osipov 2019-12-02 11:55:19 UTC
Fixed in:
- master for 9.0.30 onwards
- 8.5.x for 8.5.50 onwards
- 7.0.x for 7.0.99 onwards