On 21/04/2020 03:13, Hebner, Greg D. wrote: > We are migrating from 7.0.68 to 7.0.103 to close some security > vulnerabilities. We are running LDAP authentication via JAAS. Authentication > was working normally on 7.0.68. we use scripts to configure Tomcat > installations so every install is exactly alike and we get expected results > and operation. On version 7.0.103, even though the catalina.out indicates > that LDAP authentication succeeded, I am returned to the login page. I have a > second authentication mechanism for non-LDAP authentication, and it still > operates normally. > > Is it possible that some configuration argument has been changed/added that > would cause this behavour? When I revert back to the 7.0.68 version, LDAP > authentication is restored. Help?
It will probably be this change in 7.0.89: <quote> Make JAASRealm mis-configuration more obvious by requiring the authenticated Subject to include at least one Principal of a type specified by userClassNames. </quote> When JAAS authenticates a user, it returns an authenticated Subject which is a collection of authenticated Principals. What should happen is that one of the Principals from the Subject becomes the user Principal for the authenticated user and some (or all) of the remaining Principals become roles. What was happening prior to the above fix was that all the JAAS provided Principals were thrown away and Tomcat created an authenticated user with no user Principal and no roles. You need to specify userClassNames appropriately so one of the Principals returned by JAAS in the authenticated Subject becomes the user Principal. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
