[Bug 64222] New: Getting User from SSO using SPNEGO returns Tomcat Linux user instead of Windows user above Tomcat9.0.8

Thu, 12 Mar 2020 15:59:43 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=64222

            Bug ID: 64222
           Summary: Getting User from SSO using SPNEGO returns Tomcat
                    Linux user instead of Windows user above Tomcat9.0.8
           Product: Tomcat 9
           Version: 9.0.22
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: regression
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: b...@wigeogis.com
  Target Milestone: -----

I had the same problem already described in
http://tomcat.10.x6.nabble.com/SSO-fails-on-Tomcat-9-td5089051.html#a5089145 : 
When upgrading from Tomcat8.5.20 to Tomcat9.0.22 calling
request.getRemoteUser() in a JSP (like the hello_spnego.jsp file as mentioned
in http://spnego.sourceforge.net/spnego_tomcat.html) of the ROOT webapp with
identically configured SPNEGO (using a SpnegoHttpFilter in the web.xml) did not
return the Windows-User of the Browser sending the request transferring the
Kerberos-Ticket (bk), but the linux user the Tomcat is running under (tomcat).
Additional note: request.getUserPrincipal().getName() returns tomcat@DEV.LOCAL
instead of bk@DEV.LOCAL.

After downgrading from 9.0.22 to 9.0.8 it worked all fine like with 8.5.20!

So I suppose the new line 541 doing return null; causes this behaviour:
https://github.com/apache/tomcat/commit/b5ca3e08b8cdd998e22f486293bca6b89e2644e3

But I must admit without debugging I do not understand the code of
JAASRealm.createPrinicpal() that seems to be involved in this regression.
Using a AuthenticatedUserRealm did not work either (but in fact no Valve or
Realm is configured in TOMCAT_BASE/conf/server.xml at all - it is unchanged).

So in the meantime more information about my system to reproduce:
* Ubuntu 16.04.4 LTS
* with the mentioned Apache 8.5.20, 9.0.8 and 9.0.22
* SPNEGO configured with a SpnegoHttpFilter in the TOMCAT_BASE/conf/web.xml
like documented in http://spnego.sourceforge.net/spnego_tomcat.html
** copied the latest spnego-r9.jar to the TOMCAT_BASE/lib folder and 
** configured with a conf/krb5.ini, a conf/jaas.conf and a conf/tomcat.keytab
matching the setspn command at the domain controller as documented in
https://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html#Tomcat_instance_(Linux_server)
 

If necessary I can provide the configuration files, but I think it is
reproducible without.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to