You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/09/30 21:15:33 UTC
svn commit: r1628517 - in /tomcat/trunk:
java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
webapps/docs/changelog.xml
Author: markt
Date: Tue Sep 30 19:15:33 2014
New Revision: 1628517
URL: http://svn.apache.org/r1628517
Log:
Ensure SPNEGO authentication continues to work with the JNDI Realm using delegated credentials with recent Oracle JREs.
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1628517&r1=1628516&r2=1628517&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java Tue Sep 30 19:15:33 2014
@@ -19,6 +19,7 @@ package org.apache.catalina.authenticato
import java.io.File;
import java.io.IOException;
import java.security.Principal;
+import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.regex.Pattern;
@@ -30,6 +31,7 @@ import javax.servlet.http.HttpServletRes
import org.apache.catalina.Globals;
import org.apache.catalina.LifecycleException;
+import org.apache.catalina.Realm;
import org.apache.catalina.connector.Request;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -213,6 +215,9 @@ public class SpnegoAuthenticator extends
HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
return false;
}
+
+ Subject subject = lc.getSubject();
+
// Assume the GSSContext is stateless
// TODO: Confirm this assumption
final GSSManager manager = GSSManager.getInstance();
@@ -233,7 +238,7 @@ public class SpnegoAuthenticator extends
GSSCredential.ACCEPT_ONLY);
}
};
- gssContext = manager.createContext(Subject.doAs(lc.getSubject(), action));
+ gssContext = manager.createContext(Subject.doAs(subject, action));
outToken = Subject.doAs(lc.getSubject(), new AcceptAction(gssContext, decoded));
@@ -248,8 +253,9 @@ public class SpnegoAuthenticator extends
return false;
}
- principal = context.getRealm().authenticate(gssContext,
- isStoreDelegatedCredential());
+ principal = Subject.doAs(subject, new AuthenticateAction(
+ context.getRealm(), gssContext, storeDelegatedCredential));
+
} catch (GSSException e) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"), e);
@@ -331,4 +337,24 @@ public class SpnegoAuthenticator extends
0, decoded.length);
}
}
+
+
+ private static class AuthenticateAction implements PrivilegedAction<Principal> {
+
+ private final Realm realm;
+ private final GSSContext gssContext;
+ private final boolean storeDelegatedCredential;
+
+ public AuthenticateAction(Realm realm, GSSContext gssContext,
+ boolean storeDelegatedCredential) {
+ this.realm = realm;
+ this.gssContext = gssContext;
+ this.storeDelegatedCredential = storeDelegatedCredential;
+ }
+
+ @Override
+ public Principal run() {
+ return realm.authenticate(gssContext, storeDelegatedCredential);
+ }
+ }
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1628517&r1=1628516&r2=1628517&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Sep 30 19:15:33 2014
@@ -76,6 +76,11 @@
name only cookies. (markt)
</fix>
<fix>
+ <bug>57022</bug>: Ensure SPNEGO authentication continues to work with
+ the JNDI Realm using delegated credentials with recent Oracle JREs.
+ (markt)
+ </fix>
+ <fix>
<bug>57027</bug>: Add additional validation for stored credentials used
by Realms when the credential is stored using hex encoding. (markt)
</fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org