This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 4b831e21ef Replace Subject.doAs() with Subject.callAs()
4b831e21ef is described below
commit 4b831e21efdd8d9f4d6ed42b624d9f425d0c6506
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu May 11 20:33:36 2023 +0100
Replace Subject.doAs() with Subject.callAs()
---
.../authenticator/SpnegoAuthenticator.java | 67 +++++-----------------
1 file changed, 15 insertions(+), 52 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
index dab026fdac..d76edb9ecf 100644
--- a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
@@ -19,10 +19,8 @@ package org.apache.catalina.authenticator;
import java.io.File;
import java.io.IOException;
import java.security.Principal;
-import java.security.PrivilegedAction;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
import java.util.LinkedHashMap;
+import java.util.concurrent.CompletionException;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
@@ -32,7 +30,6 @@ import javax.security.auth.login.LoginException;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.catalina.LifecycleException;
-import org.apache.catalina.Realm;
import org.apache.catalina.connector.Request;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -208,11 +205,16 @@ public class SpnegoAuthenticator extends
AuthenticatorBase {
} else {
credentialLifetime = GSSCredential.DEFAULT_LIFETIME;
}
- final PrivilegedExceptionAction<GSSCredential> action = () ->
manager.createCredential(null,
- credentialLifetime, new Oid("1.3.6.1.5.5.2"),
GSSCredential.ACCEPT_ONLY);
- gssContext = manager.createContext(Subject.doAs(subject, action));
- outToken = Subject.doAs(lc.getSubject(), new
AcceptAction(gssContext, decoded));
+ gssContext = manager.createContext(Subject.callAs(subject, () -> {
+ return manager.createCredential(null, credentialLifetime, new
Oid("1.3.6.1.5.5.2"),
+ GSSCredential.ACCEPT_ONLY);
+ }));
+
+ final GSSContext gssContextFinal = gssContext;
+ outToken = Subject.callAs(subject, () -> {
+ return gssContextFinal.acceptSecContext(decoded, 0,
decoded.length);
+ });
if (outToken == null) {
if (log.isDebugEnabled()) {
@@ -224,8 +226,9 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
return false;
}
- principal = Subject.doAs(subject,
- new AuthenticateAction(context.getRealm(), gssContext,
storeDelegatedCredential));
+ principal = Subject.callAs(subject, () -> {
+ return context.getRealm().authenticate(gssContextFinal,
storeDelegatedCredential);
+ });
} catch (GSSException e) {
if (log.isDebugEnabled()) {
@@ -234,7 +237,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
- } catch (PrivilegedActionException e) {
+ } catch (CompletionException e) {
Throwable cause = e.getCause();
if (cause instanceof GSSException) {
if (log.isDebugEnabled()) {
@@ -291,46 +294,6 @@ public class SpnegoAuthenticator extends AuthenticatorBase
{
}
- /**
- * This class gets a gss credential via a privileged action.
- */
- public static class AcceptAction implements
PrivilegedExceptionAction<byte[]> {
-
- GSSContext gssContext;
-
- byte[] decoded;
-
- public AcceptAction(GSSContext context, byte[] decodedToken) {
- this.gssContext = context;
- this.decoded = decodedToken;
- }
-
- @Override
- public byte[] run() throws GSSException {
- return gssContext.acceptSecContext(decoded, 0, decoded.length);
- }
- }
-
-
- public static class AuthenticateAction implements
PrivilegedAction<Principal> {
-
- private final Realm realm;
- private final GSSContext gssContext;
- private final boolean storeDelegatedCredential;
-
- public AuthenticateAction(Realm realm, GSSContext gssContext, boolean
storeDelegatedCredential) {
- this.realm = realm;
- this.gssContext = gssContext;
- this.storeDelegatedCredential = storeDelegatedCredential;
- }
-
- @Override
- public Principal run() {
- return realm.authenticate(gssContext, storeDelegatedCredential);
- }
- }
-
-
/**
* This class implements a hack around an incompatibility between the
SPNEGO implementation in Windows and the
* SPNEGO implementation in Java 8 update 40 onwards. It was introduced by
the change to fix this bug:
@@ -399,7 +362,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
// Read the mechTypes into an ordered set
int mechTypesLen = lengthAsInt();
int mechTypesStart = pos;
- LinkedHashMap<String, int[]> mechTypeEntries = new
LinkedHashMap<>();
+ LinkedHashMap<String,int[]> mechTypeEntries = new
LinkedHashMap<>();
while (pos < mechTypesStart + mechTypesLen) {
int[] value = new int[2];
value[0] = pos;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
