Re: Help with SPNEGO Pass-Through

Tue, 24 Apr 2018 05:52:25 -0700 

On 23/04/18 12:27, Randy Oun wrote:
> Currently I'm configuring Tomcat 8.5 with Integrated Windows
> Authentication/SPNEGO and have a question on proper roles in security
> and auth contraints.  I have completed the instructions in the
> Integrated Windows Authentication doc
> (https://tomcat.apache.org/tomcat-8.5-doc/windows-auth-howto.html) and
> it appears the Kerberos handshake is working.
> 
> The difficulty comes when applying security contraints to an
> application which previously had none applied.  The application uses
> it's own form based authentication system and does not rely upon
> Tomcat's user database mechanisms.  The intent was to write custom
> code in the application to use the Kerberos ticket for single sign-on.
> 
> The main question: is it possible to bypass or pass-through the
> Kerberos header without having Tomcat enforce security or auth
> contraints while enabling SPNEGO?  If so, what is the proper config?
> 
> Ultimately we want to trust to the Kerberos token and avoid any
> unnecessary re-authentication.  I've tried advice from many articles
> online with no success.

I'm not completely sure what you are looking for but I think following
will help:

- Configure the web application to use SPNEGO authentication

<login-config>
  <auth-method>SPNEGO</auth-method>
  <realm-name>SPNEGO Realm</realm-name>
</login-config>

- Configure the web application to require authorisation for all
  resources and accept any authenticated user as authorised

<security-constraint>
  <display-name>Require user authentication only</display-name>
  <web-resource-collection>
    <web-resource-name>Everything</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>**</role-name>
  </auth-constraint>
</security-constraint>

You can then obtain the authenticated Principal via getUserPrincipal()

If you cast the principal to TomcatPrincipal you can call getGssCredential()

HTH,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to