You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/09/30 21:15:33 UTC

svn commit: r1628517 - in /tomcat/trunk: java/org/apache/catalina/authenticator/SpnegoAuthenticator.java webapps/docs/changelog.xml

Author: markt
Date: Tue Sep 30 19:15:33 2014
New Revision: 1628517

URL: http://svn.apache.org/r1628517
Log:
Ensure SPNEGO authentication continues to work with the JNDI Realm using delegated credentials with recent Oracle JREs.

Modified:
    tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1628517&r1=1628516&r2=1628517&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java Tue Sep 30 19:15:33 2014
@@ -19,6 +19,7 @@ package org.apache.catalina.authenticato
 import java.io.File;
 import java.io.IOException;
 import java.security.Principal;
+import java.security.PrivilegedAction;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 import java.util.regex.Pattern;
@@ -30,6 +31,7 @@ import javax.servlet.http.HttpServletRes
 
 import org.apache.catalina.Globals;
 import org.apache.catalina.LifecycleException;
+import org.apache.catalina.Realm;
 import org.apache.catalina.connector.Request;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
@@ -213,6 +215,9 @@ public class SpnegoAuthenticator extends
                         HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                 return false;
             }
+
+            Subject subject = lc.getSubject();
+
             // Assume the GSSContext is stateless
             // TODO: Confirm this assumption
             final GSSManager manager = GSSManager.getInstance();
@@ -233,7 +238,7 @@ public class SpnegoAuthenticator extends
                                 GSSCredential.ACCEPT_ONLY);
                     }
                 };
-            gssContext = manager.createContext(Subject.doAs(lc.getSubject(), action));
+            gssContext = manager.createContext(Subject.doAs(subject, action));
 
             outToken = Subject.doAs(lc.getSubject(), new AcceptAction(gssContext, decoded));
 
@@ -248,8 +253,9 @@ public class SpnegoAuthenticator extends
                 return false;
             }
 
-            principal = context.getRealm().authenticate(gssContext,
-                    isStoreDelegatedCredential());
+            principal = Subject.doAs(subject, new AuthenticateAction(
+                    context.getRealm(), gssContext, storeDelegatedCredential));
+
         } catch (GSSException e) {
             if (log.isDebugEnabled()) {
                 log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"), e);
@@ -331,4 +337,24 @@ public class SpnegoAuthenticator extends
                     0, decoded.length);
         }
     }
+
+
+    private static class AuthenticateAction implements PrivilegedAction<Principal> {
+
+        private final Realm realm;
+        private final GSSContext gssContext;
+        private final boolean storeDelegatedCredential;
+
+        public AuthenticateAction(Realm realm, GSSContext gssContext,
+                boolean storeDelegatedCredential) {
+            this.realm = realm;
+            this.gssContext = gssContext;
+            this.storeDelegatedCredential = storeDelegatedCredential;
+        }
+
+        @Override
+        public Principal run() {
+            return realm.authenticate(gssContext, storeDelegatedCredential);
+        }
+    }
 }

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1628517&r1=1628516&r2=1628517&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Sep 30 19:15:33 2014
@@ -76,6 +76,11 @@
         name only cookies. (markt)
       </fix>
       <fix>
+        <bug>57022</bug>: Ensure SPNEGO authentication continues to work with
+        the JNDI Realm using delegated credentials with recent Oracle JREs.
+        (markt)
+      </fix>
+      <fix>
         <bug>57027</bug>: Add additional validation for stored credentials used
         by Realms when the credential is stored using hex encoding. (markt)
       </fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org