You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/08/05 04:53:29 UTC
[Bug 55354] New:
JNDIRealm.getPrincipal(context,username,gssCredential) corrupts realm context
https://issues.apache.org/bugzilla/show_bug.cgi?id=55354
Bug ID: 55354
Summary: JNDIRealm.getPrincipal(context,username,gssCredential)
corrupts realm context
Product: Tomcat 7
Version: 7.0.42
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: richard.begg@identity-solutions.com.au
The getPrincipal(context,username,gssCredential) method in JNDIRealm is
designed to allow delegated credentials to be applied to the directory server
connection as part of SPNEGO authentication.
This is done by manipulation of a number of the directory context's environment
parameters.
However, as currently implemented, these environment parameters are forcibly
cleared after the getUser() call regardless of whether the values were even
changed (i.e. if isUseDelegatedCredential() returned false).
If the container realm is defined to use GSSAPI authentication, only the first
SPNEGO authentication request will succeed. All subsequent requests will fail
with this exception:
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
DSID-0C0906DC, comment: In order to perform this operation a successful bind
must be completed on the connection., data 0, v1db0
The exception is due to the Context.SECURITY_AUTHENTICATION being cleared by
getPrincipal() - resulting in a attempted "simple" bind with no
username/password (i.e. anonymous).
A workaround is to ensure that the connectionName and connectionPassword
parameters are specified in the realm definition - however, if one is using
GSSAPI - this shouldn't be necessary and certainly defeats the purpose of using
GSSAPI in the first place.
The code should preserve pre-existing environment parameters in the context
before changing them, then restore those values afterwards - rather than just
clearing the settings completely.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55354] JNDIRealm.getPrincipal(context,username,gssCredential)
corrupts realm context
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55354
Violeta Georgieva <vi...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
OS| |All
--- Comment #2 from Violeta Georgieva <vi...@apache.org> ---
Thanks for the report and the patch.
Fixed in trunk and 7.0.x and will be included in 7.0.43 onwards.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55354] JNDIRealm.getPrincipal(context,username,gssCredential)
corrupts realm context
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55354
--- Comment #1 from Richard Begg <ri...@identity-solutions.com.au> ---
Created attachment 30671
--> https://issues.apache.org/bugzilla/attachment.cgi?id=30671&action=edit
Patch to restore context params
Here is a proposed patch for JNDIRealm.java which resolves the issue for me.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org