Author: markt
Date: Wed May 4 21:47:09 2011
New Revision: 1099615
URL: http://svn.apache.org/viewvc?rev=1099615&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51099
Get loginConfigName working with non-default values
Patch by fhanik
(plus some minor code clean-up)
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
tomcat/trunk/webapps/docs/changelog.xml
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties?rev=1099615&r1=1099614&r2=1099615&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
Wed May 4 21:47:09 2011
@@ -37,4 +37,4 @@ spnegoAuthenticator.authHeaderNoToken=Th
spnegoAuthenticator.authHeaderNotNego=The authorization header sent by the
client did not start with Negotiate
spnegoAuthenticator.hostnameFail=Unable to determine the host name to
construct the default SPN. Please set the spn attribute of the authenticator.
spnegoAuthenticator.serviceLoginFail=Unable to login as the service principal
-spnegoAuthenticator.ticketValidateFail=Failed to validate client supplied
ticket
\ No newline at end of file
+spnegoAuthenticator.ticketValidateFail=Failed to validate client supplied
ticket
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1099615&r1=1099614&r2=1099615&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
(original)
+++
tomcat/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
Wed May 4 21:47:09 2011
@@ -19,7 +19,10 @@ package org.apache.catalina.authenticato
import java.io.File;
import java.io.IOException;
import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletResponse;
@@ -189,7 +192,7 @@ public class SpnegoAuthenticator extends
byte[] outToken = null;
try {
try {
- lc = new LoginContext(loginConfigName);
+ lc = new LoginContext(getLoginConfigName());
lc.login();
} catch (LoginException e) {
log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"),
@@ -200,11 +203,18 @@ public class SpnegoAuthenticator extends
}
// Assume the GSSContext is stateless
// TODO: Confirm this assumption
- GSSManager manager = GSSManager.getInstance();
- gssContext = manager.createContext(manager.createCredential(null,
- GSSCredential.DEFAULT_LIFETIME,
- new Oid("1.3.6.1.5.5.2"),
- GSSCredential.ACCEPT_ONLY));
+ final GSSManager manager = GSSManager.getInstance();
+ final PrivilegedExceptionAction<GSSCredential> action =
+ new PrivilegedExceptionAction<GSSCredential>() {
+ @Override
+ public GSSCredential run() throws GSSException {
+ return manager.createCredential(null,
+ GSSCredential.DEFAULT_LIFETIME,
+ new Oid("1.3.6.1.5.5.2"),
+ GSSCredential.ACCEPT_ONLY);
+ }
+ };
+ gssContext = manager.createContext(Subject.doAs(lc.getSubject(),
action));
outToken = gssContext.acceptSecContext(decoded.getBytes(),
decoded.getOffset(), decoded.getLength());
@@ -221,7 +231,7 @@ public class SpnegoAuthenticator extends
}
principal = context.getRealm().authenticate(gssContext,
- storeDelegatedCredential);
+ isStoreDelegatedCredential());
} catch (GSSException e) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail",
@@ -230,6 +240,11 @@ public class SpnegoAuthenticator extends
response.setHeader("WWW-Authenticate", "Negotiate");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
+ } catch (PrivilegedActionException e) {
+ log.error(sm.getString("spnegoAuthenticator.serviceLoginFail", e));
+ response.setHeader("WWW-Authenticate", "Negotiate");
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ return false;
} finally {
if (gssContext != null) {
try {
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1099615&r1=1099614&r2=1099615&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed May 4 21:47:09 2011
@@ -94,6 +94,11 @@
Add a container event that is fired when a session's ID is
changed,
e.g. on authentication. (markt)
</add>
+ <fix>
+ <bug>51099</bug>: Correctly implement non-default login configurations
+ (configured via the loginConfigName attribute) for the the SPNEGO
+ authenticator. (fhanik/markt)
+ </fix>
<add>
<bug>51119</bug>: Add JAAS authentication support to the
JMXRemoteLifecycleListener. Patch provided by Neil Laurance. (markt)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
