On 14/05/2015 22:29, Mark Thomas wrote: > On 14/05/2015 21:11, Mark Thomas wrote: >> On 29/03/2015 23:13, André Warnier wrote: >>> David Marsh wrote: >>>> I've tested all the following public JDKs >>>> jdk-7u45-windows-i586.exe >>>> jdk-7u65-windows-i586.exe >>>> jdk-7u75-windows-i586.exe >>>> jdk-8-windows-i586.exe >>>> jdk-8u5-windows-i586.exe >>>> jdk-8u11-windows-i586.exe >>>> jdk-8u20-windows-i586.exe >>>> jdk-8u25-windows-i586.exe >>>> jdk-8u31-windows-i586.exe >>>> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token >>>> >>>> Seems a recent "fix" must broken it. >>> >>> That is really great info. Thanks. >> >> As promised I have found some time to look into this. It appears that >> this fix in 8u40 onwards broke SPNEGO. >> >> https://bugs.openjdk.java.net/browse/JDK-8048194 >> >> The fix that was applied wasn't the one suggested in the bug report. >> >> I've spent some time looking at the code but I haven't found a way >> around this yet. > > Good news (sort of). I have an *extremely* dirty hack that fixes this on > my test instance by moving some of the data about in the token that the > client sends. It works with 8u20 and 8u45. > > At the moment the hack is extremely fragile. I need to make it more > robust and make it optional. I should be able to get that done tomorrow > and have it included in the next Tomcat 8 release.
Fix applied to trunk (for 9.0.x), 8.0.x (for 8.0.23 onwards) and 7.0.x (for 7.0.63 onwards). Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org