This is an automated email from the ASF dual-hosted git repository.
rmaucher pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new ba8b285975 Cleaner handling of invalid SPNEGO tokens
ba8b285975 is described below
commit ba8b285975403b07ea03e25b64ee7b43e5e3c226
Author: remm <[email protected]>
AuthorDate: Wed May 20 11:39:08 2026 +0200
Cleaner handling of invalid SPNEGO tokens
---
.../apache/catalina/authenticator/LocalStrings.properties | 1 +
.../apache/catalina/authenticator/SpnegoAuthenticator.java | 14 ++++++++++++--
webapps/docs/changelog.xml | 3 +++
3 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/LocalStrings.properties
b/java/org/apache/catalina/authenticator/LocalStrings.properties
index a9764fb975..f8785b9b50 100644
--- a/java/org/apache/catalina/authenticator/LocalStrings.properties
+++ b/java/org/apache/catalina/authenticator/LocalStrings.properties
@@ -89,6 +89,7 @@ singleSignOn.sessionExpire.managerError=SSO unable to expire
session [{0}] becau
singleSignOn.sessionExpire.managerNotFound=SSO unable to expire session [{0}]
because the Manager could not be found
singleSignOn.sessionExpire.sessionNotFound=SSO unable to expire session [{0}]
because the Session could not be found
+spnegoAuthenticator.authHeaderInvalidToken=The token sent by the client was
invlid
spnegoAuthenticator.authHeaderNoToken=The Negotiate authorization header sent
by the client did not include a token
spnegoAuthenticator.authHeaderNotNego=The authorization header sent by the
client did not start with Negotiate
spnegoAuthenticator.serviceLoginFail=Unable to login as the service principal
diff --git a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
index cd501ee99b..86ebea7910 100644
--- a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
@@ -187,7 +187,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
/*
* Reauthentication using the cached user name and password (if any)
is not enabled for SPNEGO authentication.
- * This is because the delegated credentials will nto be available
unless a normal SPNEGO authentication takes
+ * This is because the delegated credentials will not be available
unless a normal SPNEGO authentication takes
* place.
*
* Reauthentication was introduced to handle the case where the Realm
took additional actions on authentication.
@@ -227,7 +227,17 @@ public class SpnegoAuthenticator extends AuthenticatorBase
{
byte[] encoded = new byte[authorizationBC.getLength()];
System.arraycopy(authorizationBC.getBuffer(),
authorizationBC.getStart(), encoded, 0,
authorizationBC.getLength());
- byte[] decoded = Base64.getDecoder().decode(encoded);
+ byte[] decoded;
+ try {
+ decoded = Base64.getDecoder().decode(encoded);
+ } catch (IllegalArgumentException e) {
+ if (log.isDebugEnabled()) {
+
log.debug(sm.getString("spnegoAuthenticator.authHeaderInvalidToken"));
+ }
+ response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE);
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ return false;
+ }
if (decoded.length == 0) {
if (log.isDebugEnabled()) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index daaba3a57e..16e5df63b0 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -126,6 +126,9 @@
Remove unnecessary code from the SSI processing engine that was
duplicating some of the normalisation checks. (markt)
</scode>
+ <fix>
+ Cleaner handling of invalid SPNEGO tokens. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
