You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by mi...@apache.org on 2019/08/02 12:10:35 UTC
[tomcat] 01/01: BZ 63627: Implement more fine-grained handling in
RealmBase#authenticate(GSSContext, boolean)
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch BZ-63627/tomcat-9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit feabfd9554f115e3892aa179231039e0ca714079
Author: Michael Osipov <mi...@apache.org>
AuthorDate: Fri Aug 2 14:09:02 2019 +0200
BZ 63627: Implement more fine-grained handling in RealmBase#authenticate(GSSContext, boolean)
---
.../apache/catalina/realm/LocalStrings.properties | 3 ++-
java/org/apache/catalina/realm/RealmBase.java | 31 +++++++++++++---------
webapps/docs/changelog.xml | 4 +++
3 files changed, 24 insertions(+), 14 deletions(-)
diff --git a/java/org/apache/catalina/realm/LocalStrings.properties b/java/org/apache/catalina/realm/LocalStrings.properties
index a390fb5..1cb2407 100644
--- a/java/org/apache/catalina/realm/LocalStrings.properties
+++ b/java/org/apache/catalina/realm/LocalStrings.properties
@@ -102,7 +102,8 @@ realmBase.cannotGetRoles=Cannot get roles from principal [{0}]
realmBase.createUsernameRetriever.ClassCastException=Class [{0}] is not an X509UsernameRetriever.
realmBase.createUsernameRetriever.newInstance=Cannot create object of type [{0}].
realmBase.credentialHandler.customCredentialHandler=Unable to set the property [{0}] to value [{1}] as a custom CredentialHandler has been configured
-realmBase.delegatedCredentialFail=Unable to obtain delegated credentials for user [{0}]
+realmBase.delegatedCredentialFail=Unable to obtain delegated credential for user [{0}]
+realmBase.credentialNotDelegated=Credential for user [{0}] has not been delegated though storing was requested
realmBase.digest=Error digesting user credentials
realmBase.forbidden=Access to the requested resource has been denied
realmBase.gotX509Username=Got user name from X509 certificate: [{0}]
diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
index 3fde57c..0a0792a 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -480,27 +480,32 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm {
}
if (gssName!= null) {
+ GSSCredential gssCredential = null;
+ if (storeCreds) {
+ if (gssContext.getCredDelegState()) {
+ try {
+ gssCredential = gssContext.getDelegCred();
+ } catch (GSSException e) {
+ log.warn(sm.getString(
+ "realmBase.delegatedCredentialFail", gssName), e);
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString(
+ "realmBase.credentialNotDelegated", gssName));
+ }
+ }
+ }
+
String name = gssName.toString();
if (isStripRealmForGss()) {
int i = name.indexOf('@');
if (i > 0) {
- // Zero so we don;t leave a zero length name
+ // Zero so we don't leave a zero length name
name = name.substring(0, i);
}
}
- GSSCredential gssCredential = null;
- if (storeCreds && gssContext.getCredDelegState()) {
- try {
- gssCredential = gssContext.getDelegCred();
- } catch (GSSException e) {
- if (log.isDebugEnabled()) {
- log.debug(sm.getString(
- "realmBase.delegatedCredentialFail", name),
- e);
- }
- }
- }
return getPrincipal(name, gssCredential);
}
} else {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2393a89..6c58399 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -47,6 +47,10 @@
<section name="Tomcat 9.0.23 (markt)" rtext="in development">
<subsection name="Catalina">
<changelog>
+ <update>
+ <bug>63627</bug>: Implement more fine-grained handling in
+ <code>RealmBase.authenticate(GSSContext, boolean)</code>. (michaelo)
+ </update>
<add>
<bug>62496</bug>: Add option to write auth information (remote user/auth type)
to response headers. (michaelo)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org