This is an automated email from the ASF dual-hosted git repository. michaelo pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push: new 6459a20 BZ 63627: Implement more fine-grained handling in RealmBase#authenticate(GSSContext, boolean) 6459a20 is described below commit 6459a20d916b0c0ac55dd4b1bc0ab23f6ce4018c Author: Michael Osipov <micha...@apache.org> AuthorDate: Fri Aug 2 14:09:02 2019 +0200 BZ 63627: Implement more fine-grained handling in RealmBase#authenticate(GSSContext, boolean) --- java/org/apache/catalina/realm/CombinedRealm.java | 4 +-- .../apache/catalina/realm/LocalStrings.properties | 3 +- java/org/apache/catalina/realm/RealmBase.java | 33 +++++++++++++--------- webapps/docs/changelog.xml | 4 +++ 4 files changed, 27 insertions(+), 17 deletions(-) diff --git a/java/org/apache/catalina/realm/CombinedRealm.java b/java/org/apache/catalina/realm/CombinedRealm.java index ed48e0e..59511fa 100644 --- a/java/org/apache/catalina/realm/CombinedRealm.java +++ b/java/org/apache/catalina/realm/CombinedRealm.java @@ -350,7 +350,7 @@ public class CombinedRealm extends RealmBase { * {@inheritDoc} */ @Override - public Principal authenticate(GSSContext gssContext, boolean storeCreds) { + public Principal authenticate(GSSContext gssContext, boolean storeCred) { if (gssContext.isEstablished()) { Principal authenticatedUser = null; String username = null; @@ -371,7 +371,7 @@ public class CombinedRealm extends RealmBase { username, realm.getClass().getName())); } - authenticatedUser = realm.authenticate(gssContext, storeCreds); + authenticatedUser = realm.authenticate(gssContext, storeCred); if (authenticatedUser == null) { if (log.isDebugEnabled()) { diff --git a/java/org/apache/catalina/realm/LocalStrings.properties b/java/org/apache/catalina/realm/LocalStrings.properties index 990a409..5a8aee3 100644 --- a/java/org/apache/catalina/realm/LocalStrings.properties +++ b/java/org/apache/catalina/realm/LocalStrings.properties @@ -91,7 +91,8 @@ realmBase.cannotGetRoles=Cannot get roles from principal [{0}] realmBase.createUsernameRetriever.ClassCastException=Class [{0}] is not an X509UsernameRetriever. realmBase.createUsernameRetriever.newInstance=Cannot create object of type [{0}]. realmBase.credentialHandler.customCredentialHandler=Unable to set the property [{0}] to value [{1}] as a custom CredentialHandler has been configured -realmBase.delegatedCredentialFail=Unable to obtain delegated credentials for user [{0}] +realmBase.delegatedCredentialFail=Unable to obtain delegated credential for user [{0}] +realmBase.credentialNotDelegated=Credential for user [{0}] has not been delegated though storing was requested realmBase.digest=Error digesting user credentials realmBase.forbidden=Access to the requested resource has been denied realmBase.gotX509Username=Got user name from X509 certificate: [{0}] diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java index 55559a5..eaa49aa 100644 --- a/java/org/apache/catalina/realm/RealmBase.java +++ b/java/org/apache/catalina/realm/RealmBase.java @@ -472,7 +472,7 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm { * {@inheritDoc} */ @Override - public Principal authenticate(GSSContext gssContext, boolean storeCreds) { + public Principal authenticate(GSSContext gssContext, boolean storeCred) { if (gssContext.isEstablished()) { GSSName gssName = null; try { @@ -482,27 +482,32 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm { } if (gssName!= null) { + GSSCredential gssCredential = null; + if (storeCred) { + if (gssContext.getCredDelegState()) { + try { + gssCredential = gssContext.getDelegCred(); + } catch (GSSException e) { + log.warn(sm.getString( + "realmBase.delegatedCredentialFail", gssName), e); + } + } else { + if (log.isDebugEnabled()) { + log.debug(sm.getString( + "realmBase.credentialNotDelegated", gssName)); + } + } + } + String name = gssName.toString(); if (isStripRealmForGss()) { int i = name.indexOf('@'); if (i > 0) { - // Zero so we don;t leave a zero length name + // Zero so we don't leave a zero length name name = name.substring(0, i); } } - GSSCredential gssCredential = null; - if (storeCreds && gssContext.getCredDelegState()) { - try { - gssCredential = gssContext.getDelegCred(); - } catch (GSSException e) { - if (log.isDebugEnabled()) { - log.debug(sm.getString( - "realmBase.delegatedCredentialFail", name), - e); - } - } - } return getPrincipal(name, gssCredential); } } else { diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index abe97fd..e8704dd 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -47,6 +47,10 @@ <section name="Tomcat 8.5.44 (markt)" rtext="in development"> <subsection name="Catalina"> <changelog> + <update> + <bug>63627</bug>: Implement more fine-grained handling in + <code>RealmBase.authenticate(GSSContext, boolean)</code>. (michaelo) + </update> <add> <bug>62496</bug>: Add option to write auth information (remote user/auth type) to response headers. (michaelo) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org