You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by mi...@apache.org on 2019/08/05 12:33:48 UTC
[tomcat] branch BZ-63627/tomcat-9.0.x updated (feabfd9 -> b724612)
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a change to branch BZ-63627/tomcat-9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
omit feabfd9 BZ 63627: Implement more fine-grained handling in RealmBase#authenticate(GSSContext, boolean)
add acf6076 Include failed TLS handshakes in the access log
new b724612 BZ 63627: Implement more fine-grained handling in RealmBase#authenticate(GSSContext, boolean)
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (feabfd9)
\
N -- N -- N refs/heads/BZ-63627/tomcat-9.0.x (b724612)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
java/org/apache/catalina/realm/CombinedRealm.java | 4 ++--
java/org/apache/catalina/realm/RealmBase.java | 4 ++--
java/org/apache/coyote/AbstractProcessor.java | 17 ++++++++++++++++-
java/org/apache/coyote/AbstractProcessorLight.java | 17 ++++++++++++++++-
java/org/apache/coyote/http11/Http11Processor.java | 10 ++++++++--
java/org/apache/coyote/http2/Http2UpgradeHandler.java | 1 +
java/org/apache/tomcat/util/net/AprEndpoint.java | 2 ++
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 1 +
java/org/apache/tomcat/util/net/NioEndpoint.java | 1 +
java/org/apache/tomcat/util/net/SocketEvent.java | 11 ++++++++++-
.../tomcat/websocket/server/WsHttpUpgradeHandler.java | 1 +
.../http11/upgrade/TestUpgradeInternalHandler.java | 1 +
webapps/docs/changelog.xml | 4 ++++
13 files changed, 65 insertions(+), 9 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/01: BZ 63627: Implement more fine-grained handling in
RealmBase#authenticate(GSSContext, boolean)
Posted by mi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch BZ-63627/tomcat-9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit b724612ef327f1e3c493de44b29ae24e1d757d0f
Author: Michael Osipov <mi...@apache.org>
AuthorDate: Fri Aug 2 14:09:02 2019 +0200
BZ 63627: Implement more fine-grained handling in RealmBase#authenticate(GSSContext, boolean)
---
java/org/apache/catalina/realm/CombinedRealm.java | 4 +--
.../apache/catalina/realm/LocalStrings.properties | 3 +-
java/org/apache/catalina/realm/RealmBase.java | 33 +++++++++++++---------
webapps/docs/changelog.xml | 4 +++
4 files changed, 27 insertions(+), 17 deletions(-)
diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java
index c04aed1..6a73b0f 100644
--- a/java/org/apache/catalina/realm/CombinedRealm.java
+++ b/java/org/apache/catalina/realm/CombinedRealm.java
@@ -343,7 +343,7 @@ public class CombinedRealm extends RealmBase {
* {@inheritDoc}
*/
@Override
- public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
+ public Principal authenticate(GSSContext gssContext, boolean storeCred) {
if (gssContext.isEstablished()) {
Principal authenticatedUser = null;
String username = null;
@@ -364,7 +364,7 @@ public class CombinedRealm extends RealmBase {
username, realm.getClass().getName()));
}
- authenticatedUser = realm.authenticate(gssContext, storeCreds);
+ authenticatedUser = realm.authenticate(gssContext, storeCred);
if (authenticatedUser == null) {
if (log.isDebugEnabled()) {
diff --git a/java/org/apache/catalina/realm/LocalStrings.properties b/java/org/apache/catalina/realm/LocalStrings.properties
index a390fb5..1cb2407 100644
--- a/java/org/apache/catalina/realm/LocalStrings.properties
+++ b/java/org/apache/catalina/realm/LocalStrings.properties
@@ -102,7 +102,8 @@ realmBase.cannotGetRoles=Cannot get roles from principal [{0}]
realmBase.createUsernameRetriever.ClassCastException=Class [{0}] is not an X509UsernameRetriever.
realmBase.createUsernameRetriever.newInstance=Cannot create object of type [{0}].
realmBase.credentialHandler.customCredentialHandler=Unable to set the property [{0}] to value [{1}] as a custom CredentialHandler has been configured
-realmBase.delegatedCredentialFail=Unable to obtain delegated credentials for user [{0}]
+realmBase.delegatedCredentialFail=Unable to obtain delegated credential for user [{0}]
+realmBase.credentialNotDelegated=Credential for user [{0}] has not been delegated though storing was requested
realmBase.digest=Error digesting user credentials
realmBase.forbidden=Access to the requested resource has been denied
realmBase.gotX509Username=Got user name from X509 certificate: [{0}]
diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
index 3fde57c..c779c34 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -470,7 +470,7 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
* {@inheritDoc}
*/
@Override
- public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
+ public Principal authenticate(GSSContext gssContext, boolean storeCred) {
if (gssContext.isEstablished()) {
GSSName gssName = null;
try {
@@ -480,27 +480,32 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
}
if (gssName!= null) {
+ GSSCredential gssCredential = null;
+ if (storeCred) {
+ if (gssContext.getCredDelegState()) {
+ try {
+ gssCredential = gssContext.getDelegCred();
+ } catch (GSSException e) {
+ log.warn(sm.getString(
+ "realmBase.delegatedCredentialFail", gssName), e);
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString(
+ "realmBase.credentialNotDelegated", gssName));
+ }
+ }
+ }
+
String name = gssName.toString();
if (isStripRealmForGss()) {
int i = name.indexOf('@');
if (i > 0) {
- // Zero so we don;t leave a zero length name
+ // Zero so we don't leave a zero length name
name = name.substring(0, i);
}
}
- GSSCredential gssCredential = null;
- if (storeCreds && gssContext.getCredDelegState()) {
- try {
- gssCredential = gssContext.getDelegCred();
- } catch (GSSException e) {
- if (log.isDebugEnabled()) {
- log.debug(sm.getString(
- "realmBase.delegatedCredentialFail", name),
- e);
- }
- }
- }
return getPrincipal(name, gssCredential);
}
} else {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index d656546..6414088 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -47,6 +47,10 @@
<section name="Tomcat 9.0.23 (markt)" rtext="in development">
<subsection name="Catalina">
<changelog>
+ <update>
+ <bug>63627</bug>: Implement more fine-grained handling in
+ <code>RealmBase.authenticate(GSSContext, boolean)</code>. (michaelo)
+ </update>
<add>
<bug>62496</bug>: Add option to write auth information (remote user/auth type)
to response headers. (michaelo)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org