You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2015/05/14 22:11:21 UTC
Re: SPNEGO test configuration with Manager webapp
On 29/03/2015 23:13, André Warnier wrote:
> David Marsh wrote:
>> I've tested all the following public JDKs
>> jdk-7u45-windows-i586.exe
>> jdk-7u65-windows-i586.exe
>> jdk-7u75-windows-i586.exe
>> jdk-8-windows-i586.exe
>> jdk-8u5-windows-i586.exe
>> jdk-8u11-windows-i586.exe
>> jdk-8u20-windows-i586.exe
>> jdk-8u25-windows-i586.exe
>> jdk-8u31-windows-i586.exe
>> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
>>
>> Seems a recent "fix" must broken it.
>
> That is really great info. Thanks.
As promised I have found some time to look into this. It appears that
this fix in 8u40 onwards broke SPNEGO.
https://bugs.openjdk.java.net/browse/JDK-8048194
The fix that was applied wasn't the one suggested in the bug report.
I've spent some time looking at the code but I haven't found a way
around this yet.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by Mark Thomas <ma...@apache.org>.
On 14/05/2015 22:29, Mark Thomas wrote:
> On 14/05/2015 21:11, Mark Thomas wrote:
>> On 29/03/2015 23:13, André Warnier wrote:
>>> David Marsh wrote:
>>>> I've tested all the following public JDKs
>>>> jdk-7u45-windows-i586.exe
>>>> jdk-7u65-windows-i586.exe
>>>> jdk-7u75-windows-i586.exe
>>>> jdk-8-windows-i586.exe
>>>> jdk-8u5-windows-i586.exe
>>>> jdk-8u11-windows-i586.exe
>>>> jdk-8u20-windows-i586.exe
>>>> jdk-8u25-windows-i586.exe
>>>> jdk-8u31-windows-i586.exe
>>>> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
>>>>
>>>> Seems a recent "fix" must broken it.
>>>
>>> That is really great info. Thanks.
>>
>> As promised I have found some time to look into this. It appears that
>> this fix in 8u40 onwards broke SPNEGO.
>>
>> https://bugs.openjdk.java.net/browse/JDK-8048194
>>
>> The fix that was applied wasn't the one suggested in the bug report.
>>
>> I've spent some time looking at the code but I haven't found a way
>> around this yet.
>
> Good news (sort of). I have an *extremely* dirty hack that fixes this on
> my test instance by moving some of the data about in the token that the
> client sends. It works with 8u20 and 8u45.
>
> At the moment the hack is extremely fragile. I need to make it more
> robust and make it optional. I should be able to get that done tomorrow
> and have it included in the next Tomcat 8 release.
Fix applied to trunk (for 9.0.x), 8.0.x (for 8.0.23 onwards) and 7.0.x
(for 7.0.63 onwards).
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by Mark Thomas <ma...@apache.org>.
On 14/05/2015 21:11, Mark Thomas wrote:
> On 29/03/2015 23:13, André Warnier wrote:
>> David Marsh wrote:
>>> I've tested all the following public JDKs
>>> jdk-7u45-windows-i586.exe
>>> jdk-7u65-windows-i586.exe
>>> jdk-7u75-windows-i586.exe
>>> jdk-8-windows-i586.exe
>>> jdk-8u5-windows-i586.exe
>>> jdk-8u11-windows-i586.exe
>>> jdk-8u20-windows-i586.exe
>>> jdk-8u25-windows-i586.exe
>>> jdk-8u31-windows-i586.exe
>>> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
>>>
>>> Seems a recent "fix" must broken it.
>>
>> That is really great info. Thanks.
>
> As promised I have found some time to look into this. It appears that
> this fix in 8u40 onwards broke SPNEGO.
>
> https://bugs.openjdk.java.net/browse/JDK-8048194
>
> The fix that was applied wasn't the one suggested in the bug report.
>
> I've spent some time looking at the code but I haven't found a way
> around this yet.
Good news (sort of). I have an *extremely* dirty hack that fixes this on
my test instance by moving some of the data about in the token that the
client sends. It works with 8u20 and 8u45.
At the moment the hack is extremely fragile. I need to make it more
robust and make it optional. I should be able to get that done tomorrow
and have it included in the next Tomcat 8 release.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org