You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/12/06 09:56:41 UTC

[Bug 55851] New: Tomcat SPNEGO authenticator incompatible with IBM JDK: Accept Security Context needs to be wrapped around a Privileged Action in order for server side authentication

https://issues.apache.org/bugzilla/show_bug.cgi?id=55851

            Bug ID: 55851
           Summary: Tomcat SPNEGO authenticator incompatible with IBM JDK:
                    Accept Security Context needs to be wrapped around a
                    Privileged Action in order for server side
                    authentication
           Product: Tomcat 7
           Version: 7.0.47
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: arunav.sanyal91@gmail.com

Created attachment 31098
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31098&action=edit
Contains GNU unified diff of SpnegoAuthenticator and its modified format

Hi

Problem report:-

In bug report 55760, a change was made in which system property
javax.security.auth.useSubjectCredsOnly is no longer set to false. So it
naturally follows that GSSAPI AcceptSecContext method is wrapped in a
PrivilegedExceptionAction. It is found in IBM JDK that it fails otherwise.

Cause of failure:-

When IBM JDK tries to fetch credential in GSSAPI AcceptSecContext method, it
does so from JAAS Subject. Since this call is not performed in Subject.doAs,
the call fails as IBM JDK does not have access to a JAAS subject and cannot
fetch a credential.

Please find attached:-

1. File containing gnu unified diff format of SpnegoAuthenticator with its
modified version. PLEASE NOTE THIS DIFF IS ON TOP OF BUG FIX REPORTED IN 55760.
This file now also contains AcceptAction class which wraps GSSAPI
AcceptSecContext as a PrivilegedExceptionAction.

This fix solves the issue by allowing IBM JDK to fetch credential from JAAS
Subject. 

Yours sincerely
Arunav Sanyal

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


[Bug 55851] Tomcat SPNEGO authenticator incompatible with IBM JDK: Accept Security Context needs to be wrapped around a Privileged Action in order for server side authentication

Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55851

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
(In reply to Arunav Sanyal from comment #2)
> Thanks
> 
> I tried searching for recent changes to SpnegoAuthenticator and I cant seem
> to find the bug report in which this issue was first reported.

Huh? This is the bug report in which this issue was first reported.

> Can you please point me to the bug report in which this fix is made? Or is
> this a change which is not tracked by ASF bugzilla?

Huh? Bugzilla is not a source code control system. It doesn't track source code
changes? Are you looking for a link to the svn revisions where this issue was
fixed?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


[Bug 55851] Tomcat SPNEGO authenticator incompatible with IBM JDK: Accept Security Context needs to be wrapped around a Privileged Action in order for server side authentication

Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55851

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
                 OS|                            |All

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Thanks for the patch. A variation of it has been applied to 8.0.x and 7.0.x and
will be included in 8.0.0-RC6 and 7.0.48 onwards.

The changes I made were:
- remove @author tag (the ASF strongly discourages their use)
- made the inner class static and private
- added a missing @override

So basically a handful of minor bits and pieces.

Thanks again for the patch.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


[Bug 55851] Tomcat SPNEGO authenticator incompatible with IBM JDK: Accept Security Context needs to be wrapped around a Privileged Action in order for server side authentication

Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55851

--- Comment #2 from Arunav Sanyal <ar...@gmail.com> ---
Thanks

I tried searching for recent changes to SpnegoAuthenticator and I cant seem to
find the bug report in which this issue was first reported.

Can you please point me to the bug report in which this fix is made? Or is this
a change which is not tracked by ASF bugzilla?

Yours sincerely
Arunav Sanyal

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org