https://issues.apache.org/bugzilla/show_bug.cgi?id=55760
Bug ID: 55760
Summary: Tomcat SPNEGO authenticator incompatible with IBM JDK
in case of Keytab based initiate and accept
authentication
Product: Tomcat 7
Version: 7.0.35
Hardware: PC
OS: AIX
Status: NEW
Severity: blocker
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Hi
Our company has a use case in which our domain is a tomcat process. In our
code, we support a parallel protocol which uses In memory based jaas
configuration -
public class OurLoginConfiguration extends Configuration
In IBM JDK 7, we need to initiate using keytab which needs the system property
javax.security.auth.useSubjectCredsOnly to be set to true for it to work.
However Tomcat sets it in
Inside SpnegoAuthenticator:-
protected void initInternal() throws LifecycleException {
super.initInternal();
// Kerberos configuration file location
String krb5Conf = System.getProperty(Constants.KRB5_CONF_PROPERTY);
if (krb5Conf == null) {
// System property not set, use the Tomcat default
File krb5ConfFile = new File(Bootstrap.getCatalinaBase(),
Constants.DEFAULT_KRB5_CONF);
System.setProperty(Constants.KRB5_CONF_PROPERTY,
krb5ConfFile.getAbsolutePath());
}
// JAAS configuration file location
String jaasConf = System.getProperty(Constants.JAAS_CONF_PROPERTY);
if (jaasConf == null) {
// System property not set, use the Tomcat default
File jaasConfFile = new File(Bootstrap.getCatalinaBase(),
Constants.DEFAULT_JAAS_CONF);
System.setProperty(Constants.JAAS_CONF_PROPERTY,
jaasConfFile.getAbsolutePath());
}
// This property must be false for SPNEGO to work
System.setProperty(Constants.USE_SUBJECT_CREDS_ONLY_PROPERTY, "false");
}
as false in the last line which causes havoc in the code. A multithreaded
startup causes a breakdown in further authentication for keytab based logging.
Now a little more investigation revealed that tomcat acts only as an acceptor.
Now this property need not necessarily be set to false for it to work(in both
IBM and SUN JDK).
Source of claim -
http://cr.openjdk.java.net/~weijun/special/krb5winguide-2/raw_files/new/kwin
Excerpt:-
2. Direct JGSS:
/* JGSS-API calls... */
In this case, the JAAS config file's entry name MUST be the
standard entry name (com.sun.security.jgss.krb5.initiate), and you
must set -Djavax.security.auth.useSubjectCredsOnly=false on the
Java command line. Read
[26]http://java.sun.com/javase/6/docs/technotes/guides/security/jgs
s/tutorials/BasicClientServer.html for details.
Which means only initiate based auth needs the system property.
This is also confirmed in IBM with a sample program.
PROPOSED FIX: COMMENT LAST LINE OF initInternal WHICH SETS THE SYSTEM PROPERTY
IN THE FIRST PLACE AS FALSE.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
