Larry, Thanks for the tip. I was sort of reaching the same conclusion as well.
Should I be using the default identity-assertion or something else like Hadoop Group Lookup Provider? I know it depends but what have you had success with in the past when using Kerberos. I will file a JIRA ticket on this as well. Thanks, Rick Kellogg -----Original Message----- From: larry mccay [mailto:lmc...@apache.org] Sent: Wednesday, December 20, 2017 2:27 PM To: dev@knox.apache.org Cc: Kellogg, Richard M. (CIV) <richard.m.kell...@usdoj.gov> Subject: Re: Kerberos - SubjectUtils I think that a fix to more gracefully handle this situation and help diagnose the issue is definitely warranted. The Subject should not be null at all though - so that is your underlying issue. I think a null check and maybe an ERROR level log message that there seems to be something wrong with authentication resulting in a null Subject at identity assertion time. In terms of behavior changes, perhaps an IllegalStateException makes sense. My inclination is to think this is a dev time or test env issue where this would probably work. Throw an IllegalStateException with a message indicating that the Subject should have been established from authentication/federation and has not. Thank you for reporting it. Please file a JIRA and attach a patch for the fix. On Wed, Dec 20, 2017 at 12:18 PM, Rick Kellogg <rmkell...@comcast.net> wrote: > Greetings, > > While debugging my Kerberos woes, I think I have identified an issue. > I have enabled the default identity-assertion provider which uses > CommonIdentityAssertionFilter. Within the doFilter method this calls > evaluates the Subject: > > Subject subject = Subject.getSubject(AccessController.getContext()); > > In my case, the subject is null and subsequent call to determine the > principalName cause a NullPointerException. > > Can/should we add a check for null after the line above? I just don't > know the correct behavior. Do we throw another exception or simply set > mappedPrincipalName and groups to null? > > Thoughts? > Rick Kellogg > > > > >
