This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 604a82584a Change SSO reauthentication behaviour for SPNEGO
604a82584a is described below
commit 604a82584a824119ef9f0cdac54ed3b3b7623c12
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Dec 2 07:57:00 2025 +0000
Change SSO reauthentication behaviour for SPNEGO
Perform full SPNEGO authentication rather than re-using cached user name
and password (if any)
---
java/org/apache/catalina/authenticator/SingleSignOn.java | 5 ++---
.../apache/catalina/authenticator/SpnegoAuthenticator.java | 11 +++++++----
webapps/docs/changelog.xml | 6 ++++++
webapps/docs/config/valve.xml | 4 ++--
4 files changed, 17 insertions(+), 9 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/SingleSignOn.java
b/java/org/apache/catalina/authenticator/SingleSignOn.java
index f91e782194..34215813b8 100644
--- a/java/org/apache/catalina/authenticator/SingleSignOn.java
+++ b/java/org/apache/catalina/authenticator/SingleSignOn.java
@@ -74,11 +74,10 @@ import org.apache.tomcat.util.res.StringManager;
* from the user agent.</li>
* <li>CLIENT-CERT - call the realm using the credentials present in the TLS
connection. If not present in the TLS
* connection, request them from the user agent.</li>
- * <li>SPNEGO - call the realm using the plain text user name and password
cached by the SSO Valve if available. If not
- * cached, request authentication credentials from the user agent.</li>
+ * <li>SPNEGO - request authentication credentials from the user agent.</li>
* </ul>
* Note that this means that enabling reauthentication only makes sense if
there are two or more web applications in the
- * Host that use BASIC, FORM or SPNEGO. If that is not the case, the SSO Valve
will just add processing overhead.
+ * Host that use BASIC or FORM. If that is not the case, the SSO Valve will
just add processing overhead.
*/
public class SingleSignOn extends ValveBase {
diff --git a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
index 2ed169bae5..05744af657 100644
--- a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
@@ -135,15 +135,18 @@ public class SpnegoAuthenticator extends
AuthenticatorBase {
protected boolean doAuthenticate(Request request, HttpServletResponse
response) throws IOException {
/*
- * Reauthentication using the cached user name and password (if any)
is enabled for SPNEGO authentication.
+ * Reauthentication using the cached user name and password (if any)
is not enabled for SPNEGO authentication.
+ * This is because the delegated credentials will nto be available
unless a normal SPNEGO authentication takes
+ * place.
*
* Reauthentication was introduced to handle the case where the Realm
took additional actions on authentication.
- * Reauthenticating with the cached user name and password may not be
sufficient for SPNEGO in that scenario
- * since the delegated credentials will not be available.
+ * Reauthenticating with the cached user name and password may not be
sufficient for SPNEGO since it will not
+ * make the delegated credentials available that a web application may
depend on. Therefore, the
+ * reauthentication behaviour for SPNEGO is to perform a normal SPNEGO
authentication.
*
* TODO: Make the reauthentication behaviour configurable per
authenticator.
*/
- if (checkForCachedAuthentication(request, response, true)) {
+ if (checkForCachedAuthentication(request, response, false)) {
return true;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 5306d1fa22..3fbb2e225d 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -126,6 +126,12 @@
available programmatically. Pull request <pr>902</pr> by Brian Matzon.
(markt)
</add>
+ <fix>
+ Change the SSO reauthentication behaviour for SPNEGO authentication so
+ that a normal SPNEGO authentication is performed if the SSL Valve is
+ configured with reauthentication enabled. This is so that the delegated
+ credentials will be available to the web application. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index e68ce80529..f98cf53023 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -1398,11 +1398,11 @@
<p>If "true", this Valve uses cached security credentials (username and
password) to reauthenticate to the <strong>Realm</strong> each request
associated with an SSO session where the web application is configured
- with BASIC, FORM or SPNEGO authentication. Web applications using
DIGEST
+ with BASIC or FORM authentication. Web applications using DIGEST,
SPNEGO
or CLIENT-CERT authentication will reauthenticate using the standard
authentication process for the authenticator. Therefore, it only makes
sense to use the SSO Valve with this attribute set to "true" if there
- are two or more web applications using BASIC, FORM or SPNEGO.</p>
+ are two or more web applications using BASIC or FORM.</p>
<p>If "false", the Valve can itself authenticate requests based on the
presence of a valid SSO cookie, without rechecking with the
<strong>Realm</strong>.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
