Hi, we had similar issue in past, in jsonserver_session() class, fixed by 0292ebd1 which Tomas did for ticket https://fedorahosted.org/freeipa/ticket/3252
This one is for non-sessioned call: https://fedorahosted.org/freeipa/ticket/4225 -- / Alexander Bokovoy
>From bfd3ed72429f63cdf9bb1955ad8ee04c75e42014 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <[email protected]> Date: Thu, 6 Mar 2014 11:59:05 +0200 Subject: [PATCH 2/2] ipaserver/rpcserver: catch ACIError and return proper message for out-of-realm users https://fedorahosted.org/freeipa/ticket/4225 --- ipaserver/rpcserver.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index eb9b073..4e5db68 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -864,7 +864,11 @@ class jsonserver_kerb(jsonserver): self.internal_error(environ, start_response, 'jsonserver_kerb.__call__: KRB5CCNAME not defined in HTTP request environment') return self.marshal(None, CCacheError()) - self.create_context(ccache=user_ccache) + # This may fail if a ticket from wrong realm was handled via browser + try: + self.create_context(ccache=user_ccache) + except ACIError, e: + return self.unauthorized(environ, start_response, str(e), 'denied') try: response = super(jsonserver_kerb, self).__call__(environ, start_response) -- 1.8.3.1
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
