https://issues.apache.org/bugzilla/show_bug.cgi?id=55760
Bug ID: 55760 Summary: Tomcat SPNEGO authenticator incompatible with IBM JDK in case of Keytab based initiate and accept authentication Product: Tomcat 7 Version: 7.0.35 Hardware: PC OS: AIX Status: NEW Severity: blocker Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: arunav.sanya...@gmail.com Hi Our company has a use case in which our domain is a tomcat process. In our code, we support a parallel protocol which uses In memory based jaas configuration - public class OurLoginConfiguration extends Configuration In IBM JDK 7, we need to initiate using keytab which needs the system property javax.security.auth.useSubjectCredsOnly to be set to true for it to work. However Tomcat sets it in Inside SpnegoAuthenticator:- protected void initInternal() throws LifecycleException { super.initInternal(); // Kerberos configuration file location String krb5Conf = System.getProperty(Constants.KRB5_CONF_PROPERTY); if (krb5Conf == null) { // System property not set, use the Tomcat default File krb5ConfFile = new File(Bootstrap.getCatalinaBase(), Constants.DEFAULT_KRB5_CONF); System.setProperty(Constants.KRB5_CONF_PROPERTY, krb5ConfFile.getAbsolutePath()); } // JAAS configuration file location String jaasConf = System.getProperty(Constants.JAAS_CONF_PROPERTY); if (jaasConf == null) { // System property not set, use the Tomcat default File jaasConfFile = new File(Bootstrap.getCatalinaBase(), Constants.DEFAULT_JAAS_CONF); System.setProperty(Constants.JAAS_CONF_PROPERTY, jaasConfFile.getAbsolutePath()); } // This property must be false for SPNEGO to work System.setProperty(Constants.USE_SUBJECT_CREDS_ONLY_PROPERTY, "false"); } as false in the last line which causes havoc in the code. A multithreaded startup causes a breakdown in further authentication for keytab based logging. Now a little more investigation revealed that tomcat acts only as an acceptor. Now this property need not necessarily be set to false for it to work(in both IBM and SUN JDK). Source of claim - http://cr.openjdk.java.net/~weijun/special/krb5winguide-2/raw_files/new/kwin Excerpt:- 2. Direct JGSS: /* JGSS-API calls... */ In this case, the JAAS config file's entry name MUST be the standard entry name (com.sun.security.jgss.krb5.initiate), and you must set -Djavax.security.auth.useSubjectCredsOnly=false on the Java command line. Read [26]http://java.sun.com/javase/6/docs/technotes/guides/security/jgs s/tutorials/BasicClientServer.html for details. Which means only initiate based auth needs the system property. This is also confirmed in IBM with a sample program. PROPOSED FIX: COMMENT LAST LINE OF initInternal WHICH SETS THE SYSTEM PROPERTY IN THE FIRST PLACE AS FALSE. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org