natalia-s-ivanova opened a new pull request, #819:
URL: https://github.com/apache/tomcat/pull/819
**Summary:**
Inconsistent behavior of the **HttpServletRequest.login(..)** method when
using **SpnegoAuthenticator** for WEB application in Tomcat 11.0.2 and earlier.
**Details:**
Although SpnegoAuthenticator does not implement any public spec interface,
usage of this Authenticator leads to violation of contract of
HttpServletRequest.login(..) method.
Documentation of the HttpServletRequest.login(..) says that it should either
"authenticate the provided user name and password" or throw ServletException
"if the configured authenticator does not support user name and password
authentication":
```
/**
* Authenticate the provided user name and password and then associated the
* authenticated user with the request.
*
* ...
*
* @throws ServletException If any of {@link #getRemoteUser()}, {@link
* #getUserPrincipal()} or {@link #getAuthType()} are non-null, if
the
* configured authenticator does not support user name and password
* authentication or if the authentication fails
*/
```
Neither of these actions are performed when using SpnegoAuthenticator: (1)
ServletException is not thrown, (2) password is not verified against an
existing user name (ANY password could be passed into this method and
authentication is considered to be successful).
**Example:**
We have the Tomcat server 11.0.2 that is configured to use
SpnegoAuthenticator as a valve in combination with JNDIRealm (LDAP
configuration) for a specific application. JNDIRealm is configured in the
following way:
```
<Realm className="org.apache.catalina.realm.JNDIRealm"
authentication="GSSAPI"
...
/>
```
We performed all the Tomcat setup to use Kerberos tickets for user
authentication.
While working the application is able to call HttpServletRequest.logout()
and afterwards HttpServletRequest.login(..) methods. We identified that in this
configuration (authentication="GSSAPI") calling the
HttpServletRequest.login(..) method with ANY existing LDAP user does NOT
perform password check and allows getting ANOTHER principal to be used by
application with its LDAP roles.
**Solution:**
It looks like the most correct way to fix this issue is to make
SpnegoAuthenticator throw ServletException on its login method. Also it looks
like such "loginless" implementations should not allow 'logout' operation, but
org.apache.catalina.Authenticator.logout(..) does not have ServletException in
its signature, so we introduced 'UnsupportedOperationException' in logout for
the loginless type of authenticators.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
