You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/09/30 22:02:20 UTC

svn commit: r1628534 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/authenticator/SpnegoAuthenticator.java webapps/docs/changelog.xml

Author: markt
Date: Tue Sep 30 20:02:20 2014
New Revision: 1628534

URL: http://svn.apache.org/r1628534
Log:
Ensure SPNEGO authentication continues to work with the JNDI Realm using delegated credentials with recent Oracle JREs.

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1628517

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1628534&r1=1628533&r2=1628534&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java Tue Sep 30 20:02:20 2014
@@ -19,6 +19,7 @@ package org.apache.catalina.authenticato
 import java.io.File;
 import java.io.IOException;
 import java.security.Principal;
+import java.security.PrivilegedAction;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 import java.util.regex.Pattern;
@@ -30,6 +31,7 @@ import javax.servlet.http.HttpServletRes
 
 import org.apache.catalina.Globals;
 import org.apache.catalina.LifecycleException;
+import org.apache.catalina.Realm;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.deploy.LoginConfig;
 import org.apache.catalina.startup.Bootstrap;
@@ -221,6 +223,9 @@ public class SpnegoAuthenticator extends
                         HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                 return false;
             }
+
+            Subject subject = lc.getSubject();
+
             // Assume the GSSContext is stateless
             // TODO: Confirm this assumption
             final GSSManager manager = GSSManager.getInstance();
@@ -241,7 +246,7 @@ public class SpnegoAuthenticator extends
                                 GSSCredential.ACCEPT_ONLY);
                     }
                 };
-            gssContext = manager.createContext(Subject.doAs(lc.getSubject(), action));
+            gssContext = manager.createContext(Subject.doAs(subject, action));
 
             outToken = Subject.doAs(lc.getSubject(), new AcceptAction(gssContext, decoded));
 
@@ -256,8 +261,9 @@ public class SpnegoAuthenticator extends
                 return false;
             }
 
-            principal = context.getRealm().authenticate(gssContext,
-                    isStoreDelegatedCredential());
+            principal = Subject.doAs(subject, new AuthenticateAction(
+                    context.getRealm(), gssContext, storeDelegatedCredential));
+
         } catch (GSSException e) {
             if (log.isDebugEnabled()) {
                 log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"), e);
@@ -339,4 +345,24 @@ public class SpnegoAuthenticator extends
                     0, decoded.length);
         }
     }
+
+
+    private static class AuthenticateAction implements PrivilegedAction<Principal> {
+
+        private final Realm realm;
+        private final GSSContext gssContext;
+        private final boolean storeDelegatedCredential;
+
+        public AuthenticateAction(Realm realm, GSSContext gssContext,
+                boolean storeDelegatedCredential) {
+            this.realm = realm;
+            this.gssContext = gssContext;
+            this.storeDelegatedCredential = storeDelegatedCredential;
+        }
+
+        @Override
+        public Principal run() {
+            return realm.authenticate(gssContext, storeDelegatedCredential);
+        }
+    }
 }

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1628534&r1=1628533&r2=1628534&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Tue Sep 30 20:02:20 2014
@@ -56,6 +56,15 @@
   issues to not "pop up" wrt. others).
 -->
 <section name="Tomcat 7.0.57 (violetagg)">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        <bug>57022</bug>: Ensure SPNEGO authentication continues to work with
+        the JNDI Realm using delegated credentials with recent Oracle JREs.
+        (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Web applications">
     <changelog>
       <fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org