Summary: | Tomcat Spnego authentication against Active Directory fails with Java 8 | ||
---|---|---|---|
Product: | Tomcat 7 | Reporter: | Detelin Yordanov <DetelinYordanov> |
Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 7.0.55 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | All | ||
Attachments: |
Tomcat JAAS configuration
Tomcat Kerberos configuration Tomcat configuration Error log |
Description
Detelin Yordanov
2014-09-26 13:33:32 UTC
Created attachment 32060 [details]
Tomcat Kerberos configuration
Created attachment 32061 [details]
Tomcat configuration
Created attachment 32062 [details]
Error log
I managed to overcome this error by setting -Djavax.security.auth.useSubjectCredsOnly=false Still, I would like to know if there is a reason not to use Subject.doAs when doing GSSAPI authentication against LDAP. A short update. I can reproduce this with Tomcat 8 and both the latest Java 7 and Java 8 releases. I have a patch that fixes this but it currently depends on an internal Sun API. I am looking at ways to work around that. I've done a little svn archeology. Originally, the SPNEGO authenticate did call Realm.authenticate using Subject.doAs(). That was removed as it wasn't necessary early in the SPNEGO development. I have just restored this behaviour. At one point Tomcat automatically set javax.security.auth.useSubjectCredsOnly=false but this was removed to enable SPNEGO to work with IBM JREs. This fix has been made to 8.0.x and will be included in 8.0.15 onwards. It still needs to be back-ported to 7.0.x Thanks Mark, The patch I tested with that proved to work was similar, I have not done any tests with IBM JDK though. Should the following note in "Windows Auth How-to" be removed then: "The system property javax.security.auth.useSubjectCredsOnly is automatically set to the required value of false if a web application is configured to use the SPNEGO authentication method." Detelin This has now been fixed in 7.0.x for 7.0.57 onwards. I'll update the 7.0.x docs to remove that comment. |