You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by mi...@apache.org on 2019/08/05 12:26:59 UTC
[tomcat] branch 7.0.x updated: BZ 63627: Implement more
fine-grained handling in RealmBase#authenticate(GSSContext, boolean)
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new c9e9b5d BZ 63627: Implement more fine-grained handling in RealmBase#authenticate(GSSContext, boolean)
c9e9b5d is described below
commit c9e9b5d7f88307713c27128d12890daf1c047cc3
Author: Michael Osipov <mi...@apache.org>
AuthorDate: Fri Aug 2 14:09:02 2019 +0200
BZ 63627: Implement more fine-grained handling in RealmBase#authenticate(GSSContext, boolean)
---
java/org/apache/catalina/realm/CombinedRealm.java | 4 +--
.../apache/catalina/realm/LocalStrings.properties | 3 +-
java/org/apache/catalina/realm/RealmBase.java | 33 +++++++++++++---------
webapps/docs/changelog.xml | 4 +++
4 files changed, 27 insertions(+), 17 deletions(-)
diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java
index 5162e48..b203a29 100644
--- a/java/org/apache/catalina/realm/CombinedRealm.java
+++ b/java/org/apache/catalina/realm/CombinedRealm.java
@@ -331,7 +331,7 @@ public class CombinedRealm extends RealmBase {
* {@inheritDoc}
*/
@Override
- public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
+ public Principal authenticate(GSSContext gssContext, boolean storeCred) {
if (gssContext.isEstablished()) {
Principal authenticatedUser = null;
String username = null;
@@ -352,7 +352,7 @@ public class CombinedRealm extends RealmBase {
username, realm.getInfo()));
}
- authenticatedUser = realm.authenticate(gssContext, storeCreds);
+ authenticatedUser = realm.authenticate(gssContext, storeCred);
if (authenticatedUser == null) {
if (log.isDebugEnabled()) {
diff --git a/java/org/apache/catalina/realm/LocalStrings.properties b/java/org/apache/catalina/realm/LocalStrings.properties
index 95b56b5..66189e5 100644
--- a/java/org/apache/catalina/realm/LocalStrings.properties
+++ b/java/org/apache/catalina/realm/LocalStrings.properties
@@ -99,7 +99,8 @@ realmBase.createUsernameRetriever.ClassCastException=Class {0} is not an X509Use
realmBase.createUsernameRetriever.ClassNotFoundException=Cannot find class {0}.
realmBase.createUsernameRetriever.IllegalAccessException=Cannot create object of type {0}.
realmBase.createUsernameRetriever.InstantiationException=Cannot create object of type {0}.
-realmBase.delegatedCredentialFail=Unable to obtain delegated credentials for user [{0}]
+realmBase.delegatedCredentialFail=Unable to obtain delegated credential for user {0}
+realmBase.credentialNotDelegated=Credential for user {0} has not been delegated though storing was requested
realmBase.digest=Error digesting user credentials
realmBase.forbidden=Access to the requested resource has been denied
realmBase.gotX509Username=Got user name from X509 certificate: {0}
diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
index 9697440..9c753af 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -547,7 +547,7 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
* {@inheritDoc}
*/
@Override
- public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
+ public Principal authenticate(GSSContext gssContext, boolean storeCred) {
if (gssContext.isEstablished()) {
GSSName gssName = null;
try {
@@ -557,27 +557,32 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
}
if (gssName!= null) {
+ GSSCredential gssCredential = null;
+ if (storeCred) {
+ if (gssContext.getCredDelegState()) {
+ try {
+ gssCredential = gssContext.getDelegCred();
+ } catch (GSSException e) {
+ log.warn(sm.getString(
+ "realmBase.delegatedCredentialFail", gssName), e);
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString(
+ "realmBase.credentialNotDelegated", gssName));
+ }
+ }
+ }
+
String name = gssName.toString();
if (isStripRealmForGss()) {
int i = name.indexOf('@');
if (i > 0) {
- // Zero so we don;t leave a zero length name
+ // Zero so we don't leave a zero length name
name = name.substring(0, i);
}
}
- GSSCredential gssCredential = null;
- if (storeCreds && gssContext.getCredDelegState()) {
- try {
- gssCredential = gssContext.getDelegCred();
- } catch (GSSException e) {
- if (log.isDebugEnabled()) {
- log.debug(sm.getString(
- "realmBase.delegatedCredentialFail", name),
- e);
- }
- }
- }
return getPrincipal(name, gssCredential);
}
} else {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9dbc17f..e315387 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -62,6 +62,10 @@
<section name="Tomcat 7.0.97 (violetagg)">
<subsection name="Catalina">
<changelog>
+ <update>
+ <bug>63627</bug>: Implement more fine-grained handling in
+ <code>RealmBase.authenticate(GSSContext, boolean)</code>. (michaelo)
+ </update>
<add>
<bug>62496</bug>: Add option to write auth information (remote user/auth type)
to response headers. (michaelo)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org