There are several situations where #authentiate(GSSContext, boolean) does not cover all needs: * You have a developer authenticator which obtains the GSSName of the currently logged in principal, e.g., http://tomcatspnegoad.sourceforge.net/xref/net/sf/michaelo/tomcat/authenticator/CurrentWindowsIdentityAuthenticator.html#CurrentWindowsIdentityAuthenticator * You perform protocol transition and have deduced the user's GSS name, e.g., MS-SFU * You perform TLS cert auth and extract from SAN msUPN or the emailAdress fields * You completely lose the GSS name OID and cannot distinguish what type of name that was, i.e., Kerberos principal, Kerberos enterprise princial, MS user principal name, or an email address * The authenticator has established and verified the security context for you and passing required information only * You perform authentication by a reserve proxy and pass that information with request headers, e.g., https://github.com/modauthgssapi/mod_auth_gssapi Along with this, we require to have #getPrincipal(GSSName) and #getPrincipal(GSSName, GSSCredential). The former would simply call the latter with a second argument null value. #getPrincipal(String, GSSCredential) would be deprecated because it loses information. #isStripRealmForGss() would be called as late as possible in #getPrincipal(GSSName, GSSCredential), leaving #authenticate() alone. I will work this out in a separate branch.
Fixed in: - master for 9.0.30 onwards - 8.5.x for 8.5.50 onwards - 7.0.x for 7.0.99 onwards