[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0

2018-01-24 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036

Mark Thomas  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #9 from Mark Thomas  ---
The prior call to checkForCachedAuthentication() will trigger a logout if the
GSSCredential has expired so the proposed fix looks good.

Fixed in:
- trunk for 9.0.5 onwards
- 8.5.x for 8.5.28 onwards
- 8.0.x for 8.0.50 onwards
- 7.0.x for 7.0.85 onwards

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0

2018-01-24 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036

--- Comment #8 from Mark Thomas  ---
Regardless, this does look like a bug that needs to be fixed. Apart from
NonLoginAuthenticator.doAuthenticate() everywhere else that caches the
Principal in the session caches the TomcatPrincipal. Switching to
s/getUserPrincipal()/getPrincipal()/ looks like it will work - but I want to
see if we need to validate any GSSCredential at this point.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0

2018-01-24 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036

--- Comment #7 from Mark Thomas  ---
Hmm. 8.0.43 fails in the same way.

Maybe the 8.0.43 tested by the OP was configured in such a way that this
worked?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0

2018-01-24 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036

--- Comment #6 from Mark Thomas  ---
I see the same behaviour with trunk 8.0.x. This looks like a regression between
8.0.43 and 8.0.49. Nothing obvious in the change log. Still looking.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0

2018-01-23 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036

--- Comment #5 from Konstantin Kolinko  ---
(In reply to Konstantin Kolinko from comment #3)
> 2). It is also odd that RealmBase.hasRole() check for a MemoryUser fails.

Debugging Tomcat 9:

The following methods in RealmBase are called:
(the actual object is LockOutRealm)

1. hasResourcePermission(request, response, SecurityConstraint []constraints,
context)
2. hasRole((Wrapper) null, principal, (String) "testrole")
3. hasRoleInternal(principal, (String) "testrole")

On successful call the 'principal' is GenericPrincipal.

On unsuccessful call the 'principal' is MemoryUser and
RealmBase.hasRoleInternal() fails because of the following lines:

[[[
 // Should be overridden in JAASRealm - to avoid pretty inefficient conversions
 if (!(principal instanceof GenericPrincipal)) {
return false;
 }
]]]

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0

2018-01-23 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036

--- Comment #4 from Konstantin Kolinko  ---
(In reply to Konstantin Kolinko from comment #3)
> Note the following:
> 1). The principal differs.
> 
> The first call operates on a GenericPrincipal.
> The second call operates on a MemoryUser.

Debugging current Tomcat 9, the change of the cached principal occurs in
NonLoginAuthenticator.doAuthenticate(), with the following call stack:

[[[
at StandardSession.setPrincipal(Principal) - StandardSession:614
at NonLoginAuthenticator.doAuthenticate(Request, HttpServletResponse) -
NonLoginAuthenticator:86
at NonLoginAuthenticator.invoke(Request, Response) - AuthenticatorBase:584
at StandardHostValve.invoke(Request, Response) - StandardHostValve:140  
]]]

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0

2018-01-23 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036

Konstantin Kolinko  changed:

   What|Removed |Added

 OS||All

--- Comment #3 from Konstantin Kolinko  ---
(In reply to Konstantin Kolinko from comment #2)
> Created attachment 35695

The first /test/authtest call at 19:25:27.037 has the following lines:

[[[
- AuthenticatorBase.invoke We have cached auth type NONE for principal
GenericPrincipal[testuser(testrole,)]

- RealmBase.hasResourcePermission   Checking roles
GenericPrincipal[testuser(testrole,)]
- RealmBase.hasRole Username [testuser] has role [testrole]
]]]

The second /test/authtest call at 19:25:35.225 has the following lines:
[[[
- AuthenticatorBase.invoke We have cached auth type NONE for principal User
username="testuser", roles="testrole"

- RealmBase.hasResourcePermission   Checking roles User username="testuser",
roles="testrole"
- RealmBase.hasRole Username [testuser] does NOT have role [testrole]
]]]

Note the following:
1). The principal differs.

The first call operates on a GenericPrincipal.
The second call operates on a MemoryUser.

2). It is also odd that RealmBase.hasRole() check for a MemoryUser fails.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0

2018-01-23 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036

--- Comment #2 from Konstantin Kolinko  ---
Created attachment 35695
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35695=edit
catalina_2018-01-23_log.txt - Cumulative log file, Tomcat 8.5.27

To enable logging I add the following lines to conf/logging.properties:

org.apache.catalina.authenticator.level=FINE
org.apache.catalina.realm.level=FINE

I am attaching an excerpt from catalina.2018-01-23.log and access log when
running on Tomcat 8.5.27.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62036] Roles stripped when using programmatic login() in tomcat 8.5 but not 8.0

2018-01-23 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=62036

--- Comment #1 from Konstantin Kolinko  ---
Created attachment 35694
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35694=edit
test.war

Test application.

It differs from original:
I corrected the values of xmlns and xsi:schemaLocation attributes on the root
 element to have the correct values for a Servlet 3.1 application.

(I usually run with org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true which
enables validation of web.xml, thus those typos became noticable).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org