You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/11/22 17:42:37 UTC
[tomcat] branch 9.0.x updated: Improve robustness for expired credentials
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new b543bd7 Improve robustness for expired credentials
b543bd7 is described below
commit b543bd7b5fef2cf0e461fe706cb75f6a377c7c0b
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Nov 22 17:38:53 2021 +0000
Improve robustness for expired credentials
---
java/org/apache/catalina/connector/Request.java | 6 ++++--
webapps/docs/changelog.xml | 8 ++++++++
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
index 40445e0..7d4a949 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -2657,11 +2657,13 @@ public class Request implements HttpServletRequest {
int left = -1;
try {
left = gssCredential.getRemainingLifetime();
- } catch (GSSException e) {
+ } catch (GSSException | IllegalStateException e) {
log.warn(sm.getString("coyoteRequest.gssLifetimeFail",
userPrincipal.getName()), e);
}
- if (left == 0) {
+ // zero is expired.
+ // Should never be less than zero but handle those values too
+ if (left <= 0) {
// GSS credential has expired. Need to re-authenticate.
try {
logout();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index a5b60f1..b3d2397 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,14 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 9.0.56 (remm)" rtext="in development">
+ <subsection name="Catalina">
+ <changelog>
+ <fix>
+ Make SPNEGO authentication more robust for the case where the provided
+ credential has expired. (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Coyote">
<changelog>
<fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org