You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/11/22 17:47:03 UTC

[tomcat] branch 8.5.x updated: Improve robustness for expired credentials

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new 292d2e2  Improve robustness for expired credentials
292d2e2 is described below

commit 292d2e2449ed96d7510b03409c09de9c03913948
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Nov 22 17:38:53 2021 +0000

    Improve robustness for expired credentials
---
 java/org/apache/catalina/connector/Request.java | 6 ++++--
 webapps/docs/changelog.xml                      | 8 ++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
index f4e855f..98b61f3 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -2672,11 +2672,13 @@ public class Request implements HttpServletRequest {
                 int left = -1;
                 try {
                     left = gssCredential.getRemainingLifetime();
-                } catch (GSSException e) {
+                } catch (GSSException | IllegalStateException e) {
                     log.warn(sm.getString("coyoteRequest.gssLifetimeFail",
                             userPrincipal.getName()), e);
                 }
-                if (left == 0) {
+                // zero is expired.
+                // Should never be less than zero but handle those values too
+                if (left <= 0) {
                     // GSS credential has expired. Need to re-authenticate.
                     try {
                         logout();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3d60511..7afc6de 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,14 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 8.5.74 (schultz)" rtext="In development">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        Make SPNEGO authentication more robust for the case where the provided
+        credential has expired. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Coyote">
     <changelog>
       <fix>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org