I'm capturing a Kerberos Ticket on a successful Kerberos User/Password authentication.
The ticket is then serialized and then saved as a user session note with
KerberosConstants.GSS_DELEGATION_CREDENTIAL as the key... because... well... That is what
the SPNEGO authentication does. The claim is then converted to a GSSCredential by the
existing client adapter (Tomcat in my case)
So even though both are named as a GSSCredential claim, they are really Kerberos Tickets.
Ok, so what. The User/Password ticket is not created by "Delegation", unlike
the SPNEGO ticket. Would you guys consider that to be accepted as a PR, it should have a
different name and a new protocol mapper is required?