[Bug 64222] Getting User from SSO using SPNEGO returns Tomcat Linux user instead of Windows user above Tomcat9.0.8 - Update documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=64222 Mark Thomas changed: What|Removed |Added Resolution|--- |FIXED Status|REOPENED|RESOLVED --- Comment #7 from Mark Thomas --- I've replaced the reference to spnego.sf.net with one to http://tomcatspnegoad.sourceforge.net/ The requirement to specify SPNEGO as the login config is already documented. The requirement to limit authentication to a sub-set of JSPs is an application specific issue, not a generic SPNEGO auth configuration issue. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64222] Getting User from SSO using SPNEGO returns Tomcat Linux user instead of Windows user above Tomcat9.0.8 - Update documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=64222 b...@wigeogis.com changed: What|Removed |Added Resolution|WORKSFORME |--- Status|RESOLVED|REOPENED --- Comment #6 from b...@wigeogis.com --- Next time on the users list, sorry. Could you please improve the documentation? https://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html As already written in comment #4 , I did not know how to configure the built-in SSO properly. http://tomcat.10.x6.nabble.com/Help-with-SPNEGO-Pass-Through-td5073933.html gave some hints. In fact a Valve setting the SpnegoAuthenticator and the correct Realm (AuthenticatedUserRealm) are necessary! Additionally in the web.xml 1) you must use auth-method SPNEGO in login-config and 2) you should only protect the JSPs in multiple url-filter in security-constraint that use request.getRemoteUser() because in our case we are not protecting these resources, but rather enabling SSO there. Otherwise (with my configuration from comment #4 ) any other JSPs (not only other servlets), that do not use request.getRemoteUser(), do not work, i.e. they will show a HTTP status 401 Unauthorized. I think this is because the authorization is not done for JSPs not calling request.getRemoteUser() Many Thanks! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64222] Getting User from SSO using SPNEGO returns Tomcat Linux user instead of Windows user above Tomcat9.0.8 - Update documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=64222 --- Comment #5 from Michael Osipov --- spnego.sf.net is ancient. You should either go with basic features provided by Tomcat or use my Tomcat extension (http://tomcatspnegoad.sourceforge.net/) which covers a lot of cases. In both cases, use the users@ list. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64222] Getting User from SSO using SPNEGO returns Tomcat Linux user instead of Windows user above Tomcat9.0.8 - Update documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=64222
b...@wigeogis.com changed:
What|Removed |Added
Resolution|INVALID |WORKSFORME
--- Comment #4 from b...@wigeogis.com ---
Sorry for reopening. I already described my problem also at the SPNEGO help
forum https://sourceforge.net/p/spnego/discussion/1003769/thread/aa1abb0551/
This is just a comment with the complete documentation of how to solve it and
to help improving the documentation.
Looking for examples I finally managed to configure SSO successfully using the
hints of
http://tomcat.10.x6.nabble.com/Help-with-SPNEGO-Pass-Through-td5073933.html
(Also
https://blogs.nologin.es/rickyepoderi/index.php?/archives/160-Configuring-kerberosspnego-login-in-tomcat.html
seems to be a good and actual instruction.)
What I was missing in the fine documentation Windows authentication How-To
https://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
Here my example of how to configure an AuthenticatedUserRealm (Tomcat > 9.0.9)
in a correct way:
1. Follow the instructions under Domain Controller and Tomcat instance (Windows
server) concerning the $CATALINA_BASE/conf/tomcat.keytab,
$CATALINA_BASE/conf/krb5.ini and $CATALINA_BASE/conf/jaas.conf
2. Add a file $CATALINA_BASE/conf/Catalina/localhost/ROOT.xml with this
content:
This is the example for "If only the authenticated user name is required then
the AuthenticatedUserRealm may be used that will simply return a Principal
based on the authenticated user name that does not have any roles." sentence of
the documentation.
3. Configure $CATALINA_BASE/webapps/ROOT/WEB-INF/web.xml with this content:
http://java.sun.com/xml/ns/javaee;
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd;
version="2.5">
WepApp with a Login Configuration to allow request.getRemoteUser() in a
jsp
WebApp with SSO (via Tomcat built-in SPNEGO)
SPNEGO
SPNGEO realm
all
ALL
Require user authentication only
Everything
*.jsp
**
This is the example for the Web application part of
https://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html#Web_application
4. Configure the client
I like the instructions from
https://support.pingidentity.com/s/article/How-to-configure-supported-browsers-for-Kerberos-NTLM
5. Test the configuration using a $CATALINA_BASE/webapps/getremoteuser.jsp with
the following content (idea very similar to hello_spnego.jsp from
http://spnego.sourceforge.net/spnego_tomcat.html )
<%@page import="java.io.PrintWriter" %>
<%@ page import="java.security.Principal" %>
<%
String userName = request.getRemoteUser();
Principal currentAuthenticatedUser = request.getUserPrincipal();
response.setContentType("text/plain; charset=UTF-8");
PrintWriter writer = new PrintWriter(response.getWriter());
writer.println("This is the username: ");
writer.println(userName);
writer.println("This is the principal: ");
if (currentAuthenticatedUser != null) {
writer.println(currentAuthenticatedUser.getName());
} else {
writer.println("no user currently authenticated");
}
%>
calling it using
http://localhost:8080/getremoteuser.jsp
returning
(from request.getRemoteUser())
(from request.getUserPrincipal().getName())
And maybe in the Apache documentation about the Windows authentication How-To
linking the 3rd party library SPNEGO you could add a hint that the documented
configuration from the "install guide - tomcat"
http://spnego.sourceforge.net/spnego_tomcat.html does not work any longer with
Tomcat >9.0.9
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64222] Getting User from SSO using SPNEGO returns Tomcat Linux user instead of Windows user above Tomcat9.0.8 - Update documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=64222 Mark Thomas changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |INVALID --- Comment #3 from Mark Thomas --- Bugzilla is not a support forum. Support for using Apache Tomcat is available from the Apache Tomcat users mailing list. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64222] Getting User from SSO using SPNEGO returns Tomcat Linux user instead of Windows user above Tomcat9.0.8 - Update documentation
https://bz.apache.org/bugzilla/show_bug.cgi?id=64222 b...@wigeogis.com changed: What|Removed |Added Summary|Getting User from SSO using |Getting User from SSO using |SPNEGO returns Tomcat Linux |SPNEGO returns Tomcat Linux |user instead of Windows |user instead of Windows |user above Tomcat9.0.8 |user above Tomcat9.0.8 - ||Update documentation Resolution|INVALID |--- Status|RESOLVED|REOPENED --- Comment #2 from b...@wigeogis.com --- OK, I have asked there, see But could you please give me an example how I should configure an AuthenticatedUserRealm in a correct way? (I don't get it from https://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
