Currently I'm configuring Tomcat 8.5 with Integrated Windows
Authentication/SPNEGO and have a question on proper roles in security
and auth contraints. I have completed the instructions in the
Integrated Windows Authentication doc
(https://tomcat.apache.org/tomcat-8.5-doc/windows-auth-howto.html) and
it appears the Kerberos handshake is working.
The difficulty comes when applying security contraints to an
application which previously had none applied. The application uses
it's own form based authentication system and does not rely upon
Tomcat's user database mechanisms. The intent was to write custom
code in the application to use the Kerberos ticket for single sign-on.
The main question: is it possible to bypass or pass-through the
Kerberos header without having Tomcat enforce security or auth
contraints while enabling SPNEGO? If so, what is the proper config?
Ultimately we want to trust to the Kerberos token and avoid any
unnecessary re-authentication. I've tried advice from many articles
online with no success.
Thank you in advance,
RandyO
===================
Some data:
=========
Version.sh
=========
$ ./version.sh
Using CATALINA_BASE: /opt/apache-tomcat-8.5.23
Using CATALINA_HOME: /opt/apache-tomcat-8.5.23
Using CATALINA_TMPDIR: /opt/apache-tomcat-8.5.23/temp
Using JRE_HOME: /usr/lib/jvm/jre
Using CLASSPATH:
/opt/apache-tomcat-8.5.23/bin/bootstrap.jar:/opt/apache-tomcat-8.5.23/bin/tomcat-juli.jar
Server version: Apache Tomcat/8.5.23
Server built: Sep 28 2017 10:30:11 UTC
Server number: 8.5.23.0
OS Name: Linux
OS Version: 3.10.0-693.11.6.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_151-b12
JVM Vendor: Oracle Corporation
========
web.xml
========
<security-constraint>
<web-resource-collection>
<web-resource-name>AuthApp</web-resource-name>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
========
krb5 debug
========
EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
MemoryCache: add
1523981725/001290/C2FA3E950212F1F51A0C6BA137498AF0/u...@domain.org to
u...@domain.org|HTTP/s...@domain.org
KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1251591629
EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 1008854003
Constrained deleg from GSSCaller{UNKNOWN}
Found ticket for HTTP/s...@domain.org to go to krbtgt/d...@domain.org
expiring on Tue Apr 17 21:15:25 CDT 2018
17-Apr-2018 11:15:25.407 FINE [https-jsse-nio-8443-exec-7]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to
authenticate user [u...@domain.org] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
17-Apr-2018 11:15:25.407 FINE [https-jsse-nio-8443-exec-7]
org.apache.catalina.realm.CombinedRealm.authenticate Failed to
authenticate user [u...@domain.org] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
17-Apr-2018 11:15:25.408 FINE [https-jsse-nio-8443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
