svn commit: r1546634 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/connector/LocalStrings.properties java/org/apache/catalina/connector/Request.java webapps/docs/changelog.xml

Fri, 29 Nov 2013 11:31:08 -0800 

Author: markt
Date: Fri Nov 29 19:29:59 2013
New Revision: 1546634

URL: http://svn.apache.org/r1546634
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55804
If the GSSCredential for the cached principal expires when using SPNEGO 
authentication, force a re-authentication.

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    
tomcat/tc7.0.x/trunk/java/org/apache/catalina/connector/LocalStrings.properties
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/connector/Request.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1546631

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/connector/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/connector/LocalStrings.properties?rev=1546634&r1=1546633&r2=1546634&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/connector/LocalStrings.properties 
(original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/connector/LocalStrings.properties 
Fri Nov 29 19:29:59 2013
@@ -56,6 +56,7 @@ coyoteResponse.setBufferSize.ise=Cannot 
 #
 coyoteRequest.getInputStream.ise=getReader() has already been called for this 
request
 coyoteRequest.getReader.ise=getInputStream() has already been called for this 
request
+coyoteRequest.gssLifetimeFail=Failed to obtain remaining lifetime for user 
principal [{0}]
 coyoteRequest.sessionCreateCommitted=Cannot create a session after the 
response has been committed
 coyoteRequest.setAttribute.namenull=Cannot call setAttribute with a null name
 coyoteRequest.listenerStart=Exception sending context initialized event to 
listener instance of class {0}

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/connector/Request.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=1546634&r1=1546633&r2=1546634&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/connector/Request.java 
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/connector/Request.java Fri 
Nov 29 19:29:59 2013
@@ -96,6 +96,8 @@ import org.apache.tomcat.util.http.fileu
 import org.apache.tomcat.util.http.fileupload.servlet.ServletRequestContext;
 import org.apache.tomcat.util.http.mapper.MappingData;
 import org.apache.tomcat.util.res.StringManager;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
 
 
 /**
@@ -2462,6 +2464,27 @@ public class Request
     @Override
     public Principal getUserPrincipal() {
         if (userPrincipal instanceof GenericPrincipal) {
+            GSSCredential gssCredential =
+                    ((GenericPrincipal) userPrincipal).getGssCredential();
+            if (gssCredential != null) {
+                int left = -1;
+                try {
+                    left = gssCredential.getRemainingLifetime();
+                } catch (GSSException e) {
+                    log.warn(sm.getString("coyoteRequest.gssLifetimeFail",
+                            userPrincipal.getName()), e);
+                }
+                if (left == 0) {
+                    // GSS credential has expired. Need to re-authenticate.
+                    try {
+                        logout();
+                    } catch (ServletException e) {
+                        // Should never happen (no code called by logout()
+                        // throws a ServletException
+                    }
+                    return null;
+                }
+            }
             return ((GenericPrincipal) userPrincipal).getUserPrincipal();
         }
 

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1546634&r1=1546633&r2=1546634&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Nov 29 19:29:59 2013
@@ -58,6 +58,10 @@
 <section name="Tomcat 7.0.48 (violetagg)">
   <subsection name="Catalina">
     <changelog>
+      <add>
+        <bug>51294</bug>: Add support for unpacking WARs located outside of the
+        Host's appBase in to the appBase. (markt) 
+      </add>
       <fix>
         <bug>55656</bug>: Configure the Digester to use the server class loader
         when parsing server.xml rather than the class loader that loaded
@@ -160,10 +164,6 @@
         was always expanded if a WAR failed to deploy. (markt)
       </fix>
       <add>
-        <bug>51294</bug>: Add support for unpacking WARs located outside of the
-        Host's appBase in to the appBase. (markt) 
-      </add>
-      <add>
         Add support for defining <code>copyXML</code> on a per Context basis.
         (markt)
       </add>
@@ -189,6 +189,10 @@
         Prevent an NPE in the WebSocket <code>ServerContainer</code> when
         processing an HTTP session end event. (markt)
       </fix>
+      <fix>
+        <bug>55804</bug>: If the GSSCredential for the cached Principal expires
+        when using SPNEGO authentication, force a re-authentication. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to