You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/09/30 22:02:20 UTC
svn commit: r1628534 - in /tomcat/tc7.0.x/trunk: ./
java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
webapps/docs/changelog.xml
Author: markt
Date: Tue Sep 30 20:02:20 2014
New Revision: 1628534
URL: http://svn.apache.org/r1628534
Log:
Ensure SPNEGO authentication continues to work with the JNDI Realm using delegated credentials with recent Oracle JREs.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1628517
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1628534&r1=1628533&r2=1628534&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java Tue Sep 30 20:02:20 2014
@@ -19,6 +19,7 @@ package org.apache.catalina.authenticato
import java.io.File;
import java.io.IOException;
import java.security.Principal;
+import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.regex.Pattern;
@@ -30,6 +31,7 @@ import javax.servlet.http.HttpServletRes
import org.apache.catalina.Globals;
import org.apache.catalina.LifecycleException;
+import org.apache.catalina.Realm;
import org.apache.catalina.connector.Request;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.startup.Bootstrap;
@@ -221,6 +223,9 @@ public class SpnegoAuthenticator extends
HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
return false;
}
+
+ Subject subject = lc.getSubject();
+
// Assume the GSSContext is stateless
// TODO: Confirm this assumption
final GSSManager manager = GSSManager.getInstance();
@@ -241,7 +246,7 @@ public class SpnegoAuthenticator extends
GSSCredential.ACCEPT_ONLY);
}
};
- gssContext = manager.createContext(Subject.doAs(lc.getSubject(), action));
+ gssContext = manager.createContext(Subject.doAs(subject, action));
outToken = Subject.doAs(lc.getSubject(), new AcceptAction(gssContext, decoded));
@@ -256,8 +261,9 @@ public class SpnegoAuthenticator extends
return false;
}
- principal = context.getRealm().authenticate(gssContext,
- isStoreDelegatedCredential());
+ principal = Subject.doAs(subject, new AuthenticateAction(
+ context.getRealm(), gssContext, storeDelegatedCredential));
+
} catch (GSSException e) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"), e);
@@ -339,4 +345,24 @@ public class SpnegoAuthenticator extends
0, decoded.length);
}
}
+
+
+ private static class AuthenticateAction implements PrivilegedAction<Principal> {
+
+ private final Realm realm;
+ private final GSSContext gssContext;
+ private final boolean storeDelegatedCredential;
+
+ public AuthenticateAction(Realm realm, GSSContext gssContext,
+ boolean storeDelegatedCredential) {
+ this.realm = realm;
+ this.gssContext = gssContext;
+ this.storeDelegatedCredential = storeDelegatedCredential;
+ }
+
+ @Override
+ public Principal run() {
+ return realm.authenticate(gssContext, storeDelegatedCredential);
+ }
+ }
}
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1628534&r1=1628533&r2=1628534&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Tue Sep 30 20:02:20 2014
@@ -56,6 +56,15 @@
issues to not "pop up" wrt. others).
-->
<section name="Tomcat 7.0.57 (violetagg)">
+ <subsection name="Catalina">
+ <changelog>
+ <fix>
+ <bug>57022</bug>: Ensure SPNEGO authentication continues to work with
+ the JNDI Realm using delegated credentials with recent Oracle JREs.
+ (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Web applications">
<changelog>
<fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org