[Bug 64222] Getting User from SSO using SPNEGO returns Tomcat Linux user instead of Windows user above Tomcat9.0.8 - Update documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=64222 Mark Thomas changed: What|Removed |Added Resolution|--- |FIXED Status|REOPENED|RESOLVED --- Comment #7 from Mark Thomas --- I've replaced the reference to spnego.sf.net with one to http://tomcatspnegoad.sourceforge.net/ The requirement to specify SPNEGO as the login config is already documented. The requirement to limit authentication to a sub-set of JSPs is an application specific issue, not a generic SPNEGO auth configuration issue. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64222] Getting User from SSO using SPNEGO returns Tomcat Linux user instead of Windows user above Tomcat9.0.8 - Update documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=64222 b...@wigeogis.com changed: What|Removed |Added Resolution|WORKSFORME |--- Status|RESOLVED|REOPENED --- Comment #6 from b...@wigeogis.com --- Next time on the users list, sorry. Could you please improve the documentation? https://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html As already written in comment #4 , I did not know how to configure the built-in SSO properly. http://tomcat.10.x6.nabble.com/Help-with-SPNEGO-Pass-Through-td5073933.html gave some hints. In fact a Valve setting the SpnegoAuthenticator and the correct Realm (AuthenticatedUserRealm) are necessary! Additionally in the web.xml 1) you must use auth-method SPNEGO in login-config and 2) you should only protect the JSPs in multiple url-filter in security-constraint that use request.getRemoteUser() because in our case we are not protecting these resources, but rather enabling SSO there. Otherwise (with my configuration from comment #4 ) any other JSPs (not only other servlets), that do not use request.getRemoteUser(), do not work, i.e. they will show a HTTP status 401 Unauthorized. I think this is because the authorization is not done for JSPs not calling request.getRemoteUser() Many Thanks! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64222] Getting User from SSO using SPNEGO returns Tomcat Linux user instead of Windows user above Tomcat9.0.8 - Update documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=64222 --- Comment #5 from Michael Osipov --- spnego.sf.net is ancient. You should either go with basic features provided by Tomcat or use my Tomcat extension (http://tomcatspnegoad.sourceforge.net/) which covers a lot of cases. In both cases, use the users@ list. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64222] Getting User from SSO using SPNEGO returns Tomcat Linux user instead of Windows user above Tomcat9.0.8 - Update documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=64222 b...@wigeogis.com changed: What|Removed |Added Resolution|INVALID |WORKSFORME --- Comment #4 from b...@wigeogis.com --- Sorry for reopening. I already described my problem also at the SPNEGO help forum https://sourceforge.net/p/spnego/discussion/1003769/thread/aa1abb0551/ This is just a comment with the complete documentation of how to solve it and to help improving the documentation. Looking for examples I finally managed to configure SSO successfully using the hints of http://tomcat.10.x6.nabble.com/Help-with-SPNEGO-Pass-Through-td5073933.html (Also https://blogs.nologin.es/rickyepoderi/index.php?/archives/160-Configuring-kerberosspnego-login-in-tomcat.html seems to be a good and actual instruction.) What I was missing in the fine documentation Windows authentication How-To https://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) Here my example of how to configure an AuthenticatedUserRealm (Tomcat > 9.0.9) in a correct way: 1. Follow the instructions under Domain Controller and Tomcat instance (Windows server) concerning the $CATALINA_BASE/conf/tomcat.keytab, $CATALINA_BASE/conf/krb5.ini and $CATALINA_BASE/conf/jaas.conf 2. Add a file $CATALINA_BASE/conf/Catalina/localhost/ROOT.xml with this content: This is the example for "If only the authenticated user name is required then the AuthenticatedUserRealm may be used that will simply return a Principal based on the authenticated user name that does not have any roles." sentence of the documentation. 3. Configure $CATALINA_BASE/webapps/ROOT/WEB-INF/web.xml with this content: http://java.sun.com/xml/ns/javaee; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd; version="2.5"> WepApp with a Login Configuration to allow request.getRemoteUser() in a jsp WebApp with SSO (via Tomcat built-in SPNEGO) SPNEGO SPNGEO realm all ALL Require user authentication only Everything *.jsp ** This is the example for the Web application part of https://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html#Web_application 4. Configure the client I like the instructions from https://support.pingidentity.com/s/article/How-to-configure-supported-browsers-for-Kerberos-NTLM 5. Test the configuration using a $CATALINA_BASE/webapps/getremoteuser.jsp with the following content (idea very similar to hello_spnego.jsp from http://spnego.sourceforge.net/spnego_tomcat.html ) <%@page import="java.io.PrintWriter" %> <%@ page import="java.security.Principal" %> <% String userName = request.getRemoteUser(); Principal currentAuthenticatedUser = request.getUserPrincipal(); response.setContentType("text/plain; charset=UTF-8"); PrintWriter writer = new PrintWriter(response.getWriter()); writer.println("This is the username: "); writer.println(userName); writer.println("This is the principal: "); if (currentAuthenticatedUser != null) { writer.println(currentAuthenticatedUser.getName()); } else { writer.println("no user currently authenticated"); } %> calling it using http://localhost:8080/getremoteuser.jsp returning (from request.getRemoteUser()) (from request.getUserPrincipal().getName()) And maybe in the Apache documentation about the Windows authentication How-To linking the 3rd party library SPNEGO you could add a hint that the documented configuration from the "install guide - tomcat" http://spnego.sourceforge.net/spnego_tomcat.html does not work any longer with Tomcat >9.0.9 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64222] Getting User from SSO using SPNEGO returns Tomcat Linux user instead of Windows user above Tomcat9.0.8 - Update documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=64222 Mark Thomas changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |INVALID --- Comment #3 from Mark Thomas --- Bugzilla is not a support forum. Support for using Apache Tomcat is available from the Apache Tomcat users mailing list. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64222] Getting User from SSO using SPNEGO returns Tomcat Linux user instead of Windows user above Tomcat9.0.8 - Update documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=64222 b...@wigeogis.com changed: What|Removed |Added Summary|Getting User from SSO using |Getting User from SSO using |SPNEGO returns Tomcat Linux |SPNEGO returns Tomcat Linux |user instead of Windows |user instead of Windows |user above Tomcat9.0.8 |user above Tomcat9.0.8 - ||Update documentation Resolution|INVALID |--- Status|RESOLVED|REOPENED --- Comment #2 from b...@wigeogis.com --- OK, I have asked there, see But could you please give me an example how I should configure an AuthenticatedUserRealm in a correct way? (I don't get it from https://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org