You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Moritz Moeller (JIRA)" <ji...@apache.org> on 2012/09/20 15:00:07 UTC
[jira] [Created] (HADOOP-8830)
org.apache.hadoop.security.authentication.server.AuthenticationFilter might
be called twice, causing kerberos replay errors
Moritz Moeller created HADOOP-8830:
--------------------------------------
Summary: org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors
Key: HADOOP-8830
URL: https://issues.apache.org/jira/browse/HADOOP-8830
Project: Hadoop Common
Issue Type: Bug
Affects Versions: 2.0.1-alpha
Reporter: Moritz Moeller
AuthenticationFilter.doFilter is called twice (not sure if that is intentional or not).
The second time it is called the ServletRequest is already authenticated, i.e. httpRequest.getRemoteUser() returns non-null info.
If the kerberos authentication is triggered a second time it'll return a replay attack exception.
I solved this by adding a if (httpRequest.getRemoteUser() == null) at the very beginning of doFilter.
Alternatively one can set an attribute on the request, or figure out why doFilter is called twice.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8830)
org.apache.hadoop.security.authentication.server.AuthenticationFilter might
be called twice, causing kerberos replay errors
Posted by "Alejandro Abdelnur (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13469025#comment-13469025 ]
Alejandro Abdelnur commented on HADOOP-8830:
--------------------------------------------
Moritz,
Do you mean that there are effectively 2 HTTP requests? If so, this happens when the initial request is not authenticated, a NEGOTIATE response is sent back which will trigger the SPNEGO/Kerberos authentication on the client. After a successful authentication a signed cookie is issued and used for subsequent requests.
> org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors
> ---------------------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-8830
> URL: https://issues.apache.org/jira/browse/HADOOP-8830
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 2.0.1-alpha
> Reporter: Moritz Moeller
>
> AuthenticationFilter.doFilter is called twice (not sure if that is intentional or not).
> The second time it is called the ServletRequest is already authenticated, i.e. httpRequest.getRemoteUser() returns non-null info.
> If the kerberos authentication is triggered a second time it'll return a replay attack exception.
> I solved this by adding a if (httpRequest.getRemoteUser() == null) at the very beginning of doFilter.
> Alternatively one can set an attribute on the request, or figure out why doFilter is called twice.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira