You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/11/20 20:23:11 UTC

[Bug 55804] New: SPNEGOAUTHENTICATOR - GSSCredential does not get renewed after RemainingLifeTime is less than zero

https://issues.apache.org/bugzilla/show_bug.cgi?id=55804

            Bug ID: 55804
           Summary: SPNEGOAUTHENTICATOR - GSSCredential does not get
                    renewed after RemainingLifeTime is less than zero
           Product: Tomcat 7
           Version: 7.0.47
          Hardware: PC
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: sachinkumar_in@yahoo.com

In SpnegoAuthenticator, we check for request.getUserPrincipal() if it returns a
prinicpal we do not do a fresh authentication. This happens even when the
GSSCredential returned by GenericPrincipal has remainingLife time less than
zero. This causes issues in delegating the credential as the credential is not
valid any more.

Can we add additional check to reauthenticate when the credental has expired
and put GSSCredential in the same session?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55804] SPNEGOAUTHENTICATOR - GSSCredential does not get renewed after RemainingLifeTime is less than zero

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55804

--- Comment #2 from Sachin Kumar <sa...@yahoo.com> ---
If request.getUserPrinicpal() returns null, then we go on reauthenticate and
repopulates a new GSSCrential. However, when we reauthenticate the session also
changes. I believe the session changes because changeSessionIdOnAuthentication
is true by default, so the we have to reinitialize session(populate some
objects just as in case of fresh login onto session) in our application.  Can
we have request.getUserPrinicipal null and then when a session already exists
not create a new session.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55804] SPNEGOAUTHENTICATOR - GSSCredential does not get renewed after RemainingLifeTime is less than zero

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55804

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Would it be sufficient for your use case if request.getUserPrincipal() returned
null if the GSSCredential had expired?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55804] SPNEGOAUTHENTICATOR - GSSCredential does not get renewed after RemainingLifeTime is less than zero

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55804

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
When the session ID is changed on authentication that is exactly what happens.
The session object remains the same, just the ID changes. There should be no
need to populate the session as it remains populated.

If you need to update some of your session attributes because the ID has
changed, you can use an HttpSessionIdListener.

On this basis, it looks like having request.getUserPrincipal() return null if
the GSSCredential has expired will be sufficient.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55804] SPNEGOAUTHENTICATOR - GSSCredential does not get renewed after RemainingLifeTime is less than zero

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55804

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #5 from Mark Thomas <ma...@apache.org> ---
This has been fixed in trunk for 8.0.0-RC6 onwards and 7.0.x for 7.0.48
onwards.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55804] SPNEGOAUTHENTICATOR - GSSCredential does not get renewed after RemainingLifeTime is less than zero

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55804

--- Comment #4 from Sachin Kumar <sa...@yahoo.com> ---
Sure thanks Mark. Can we have this fix soon?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org