Hi, We are configuring our Tomcat web application to authenticate using SPNEGO (Kerberos in particular) on Tomcat 7.0.29. Following the step-by-step 'Windows Authentication How-To', i succeeded doing so. Part of setting it up was configuring a Realm that assigns a role to the user, because the web application requires this. The Realm is supposed to grant the role to any user, where the password equals the user name.
Now, as long as we combine the SPNEGOAuthenticator and this Realm, there is no issue. But as soon as somebody starts using my special Realm in combination with, lets say, the BasicAuthenticator, we have introduced a huge security hole. In my mind, the responsibilities are assigned differently. The Valves (Authenticators) should be doing the HTTP request/header/login form/etc handling, and the Realm should be doing the actual Authentication against some data source. In the case of SPNEGO, the SPNEGOAuthenticator seems to try to do the authentication as well, and only delegate to the Realm to finally grant the role. Now my questions are; am i right i my assumption of the responsibilities? Should i be configuring this differently? or am i indeed on the right track? Regards, Maarten van Hulsentop
