[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036 Mark Thomaschanged: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #9 from Mark Thomas --- The prior call to checkForCachedAuthentication() will trigger a logout if the GSSCredential has expired so the proposed fix looks good. Fixed in: - trunk for 9.0.5 onwards - 8.5.x for 8.5.28 onwards - 8.0.x for 8.0.50 onwards - 7.0.x for 7.0.85 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036 --- Comment #8 from Mark Thomas--- Regardless, this does look like a bug that needs to be fixed. Apart from NonLoginAuthenticator.doAuthenticate() everywhere else that caches the Principal in the session caches the TomcatPrincipal. Switching to s/getUserPrincipal()/getPrincipal()/ looks like it will work - but I want to see if we need to validate any GSSCredential at this point. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036 --- Comment #7 from Mark Thomas--- Hmm. 8.0.43 fails in the same way. Maybe the 8.0.43 tested by the OP was configured in such a way that this worked? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036 --- Comment #6 from Mark Thomas--- I see the same behaviour with trunk 8.0.x. This looks like a regression between 8.0.43 and 8.0.49. Nothing obvious in the change log. Still looking. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036 --- Comment #5 from Konstantin Kolinko--- (In reply to Konstantin Kolinko from comment #3) > 2). It is also odd that RealmBase.hasRole() check for a MemoryUser fails. Debugging Tomcat 9: The following methods in RealmBase are called: (the actual object is LockOutRealm) 1. hasResourcePermission(request, response, SecurityConstraint []constraints, context) 2. hasRole((Wrapper) null, principal, (String) "testrole") 3. hasRoleInternal(principal, (String) "testrole") On successful call the 'principal' is GenericPrincipal. On unsuccessful call the 'principal' is MemoryUser and RealmBase.hasRoleInternal() fails because of the following lines: [[[ // Should be overridden in JAASRealm - to avoid pretty inefficient conversions if (!(principal instanceof GenericPrincipal)) { return false; } ]]] -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036 --- Comment #4 from Konstantin Kolinko--- (In reply to Konstantin Kolinko from comment #3) > Note the following: > 1). The principal differs. > > The first call operates on a GenericPrincipal. > The second call operates on a MemoryUser. Debugging current Tomcat 9, the change of the cached principal occurs in NonLoginAuthenticator.doAuthenticate(), with the following call stack: [[[ at StandardSession.setPrincipal(Principal) - StandardSession:614 at NonLoginAuthenticator.doAuthenticate(Request, HttpServletResponse) - NonLoginAuthenticator:86 at NonLoginAuthenticator.invoke(Request, Response) - AuthenticatorBase:584 at StandardHostValve.invoke(Request, Response) - StandardHostValve:140 ]]] -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036 Konstantin Kolinkochanged: What|Removed |Added OS||All --- Comment #3 from Konstantin Kolinko --- (In reply to Konstantin Kolinko from comment #2) > Created attachment 35695 The first /test/authtest call at 19:25:27.037 has the following lines: [[[ - AuthenticatorBase.invoke We have cached auth type NONE for principal GenericPrincipal[testuser(testrole,)] - RealmBase.hasResourcePermission Checking roles GenericPrincipal[testuser(testrole,)] - RealmBase.hasRole Username [testuser] has role [testrole] ]]] The second /test/authtest call at 19:25:35.225 has the following lines: [[[ - AuthenticatorBase.invoke We have cached auth type NONE for principal User username="testuser", roles="testrole" - RealmBase.hasResourcePermission Checking roles User username="testuser", roles="testrole" - RealmBase.hasRole Username [testuser] does NOT have role [testrole] ]]] Note the following: 1). The principal differs. The first call operates on a GenericPrincipal. The second call operates on a MemoryUser. 2). It is also odd that RealmBase.hasRole() check for a MemoryUser fails. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036 --- Comment #2 from Konstantin Kolinko--- Created attachment 35695 --> https://bz.apache.org/bugzilla/attachment.cgi?id=35695=edit catalina_2018-01-23_log.txt - Cumulative log file, Tomcat 8.5.27 To enable logging I add the following lines to conf/logging.properties: org.apache.catalina.authenticator.level=FINE org.apache.catalina.realm.level=FINE I am attaching an excerpt from catalina.2018-01-23.log and access log when running on Tomcat 8.5.27. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036 --- Comment #1 from Konstantin Kolinko--- Created attachment 35694 --> https://bz.apache.org/bugzilla/attachment.cgi?id=35694=edit test.war Test application. It differs from original: I corrected the values of xmlns and xsi:schemaLocation attributes on the root element to have the correct values for a Servlet 3.1 application. (I usually run with org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true which enables validation of web.xml, thus those typos became noticable). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org