This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 6459a20 BZ 63627: Implement more fine-grained handling in
RealmBase#authenticate(GSSContext, boolean)
6459a20 is described below
commit 6459a20d916b0c0ac55dd4b1bc0ab23f6ce4018c
Author: Michael Osipov <micha...@apache.org>
AuthorDate: Fri Aug 2 14:09:02 2019 +0200
BZ 63627: Implement more fine-grained handling in
RealmBase#authenticate(GSSContext, boolean)
---
java/org/apache/catalina/realm/CombinedRealm.java | 4 +--
.../apache/catalina/realm/LocalStrings.properties | 3 +-
java/org/apache/catalina/realm/RealmBase.java | 33 +++++++++++++---------
webapps/docs/changelog.xml | 4 +++
4 files changed, 27 insertions(+), 17 deletions(-)
diff --git a/java/org/apache/catalina/realm/CombinedRealm.java
b/java/org/apache/catalina/realm/CombinedRealm.java
index ed48e0e..59511fa 100644
--- a/java/org/apache/catalina/realm/CombinedRealm.java
+++ b/java/org/apache/catalina/realm/CombinedRealm.java
@@ -350,7 +350,7 @@ public class CombinedRealm extends RealmBase {
* {@inheritDoc}
*/
@Override
- public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
+ public Principal authenticate(GSSContext gssContext, boolean storeCred) {
if (gssContext.isEstablished()) {
Principal authenticatedUser = null;
String username = null;
@@ -371,7 +371,7 @@ public class CombinedRealm extends RealmBase {
username, realm.getClass().getName()));
}
- authenticatedUser = realm.authenticate(gssContext, storeCreds);
+ authenticatedUser = realm.authenticate(gssContext, storeCred);
if (authenticatedUser == null) {
if (log.isDebugEnabled()) {
diff --git a/java/org/apache/catalina/realm/LocalStrings.properties
b/java/org/apache/catalina/realm/LocalStrings.properties
index 990a409..5a8aee3 100644
--- a/java/org/apache/catalina/realm/LocalStrings.properties
+++ b/java/org/apache/catalina/realm/LocalStrings.properties
@@ -91,7 +91,8 @@ realmBase.cannotGetRoles=Cannot get roles from principal [{0}]
realmBase.createUsernameRetriever.ClassCastException=Class [{0}] is not an
X509UsernameRetriever.
realmBase.createUsernameRetriever.newInstance=Cannot create object of type
[{0}].
realmBase.credentialHandler.customCredentialHandler=Unable to set the property
[{0}] to value [{1}] as a custom CredentialHandler has been configured
-realmBase.delegatedCredentialFail=Unable to obtain delegated credentials for
user [{0}]
+realmBase.delegatedCredentialFail=Unable to obtain delegated credential for
user [{0}]
+realmBase.credentialNotDelegated=Credential for user [{0}] has not been
delegated though storing was requested
realmBase.digest=Error digesting user credentials
realmBase.forbidden=Access to the requested resource has been denied
realmBase.gotX509Username=Got user name from X509 certificate: [{0}]
diff --git a/java/org/apache/catalina/realm/RealmBase.java
b/java/org/apache/catalina/realm/RealmBase.java
index 55559a5..eaa49aa 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -472,7 +472,7 @@ public abstract class RealmBase extends LifecycleMBeanBase
implements Realm {
* {@inheritDoc}
*/
@Override
- public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
+ public Principal authenticate(GSSContext gssContext, boolean storeCred) {
if (gssContext.isEstablished()) {
GSSName gssName = null;
try {
@@ -482,27 +482,32 @@ public abstract class RealmBase extends
LifecycleMBeanBase implements Realm {
}
if (gssName!= null) {
+ GSSCredential gssCredential = null;
+ if (storeCred) {
+ if (gssContext.getCredDelegState()) {
+ try {
+ gssCredential = gssContext.getDelegCred();
+ } catch (GSSException e) {
+ log.warn(sm.getString(
+ "realmBase.delegatedCredentialFail",
gssName), e);
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString(
+ "realmBase.credentialNotDelegated",
gssName));
+ }
+ }
+ }
+
String name = gssName.toString();
if (isStripRealmForGss()) {
int i = name.indexOf('@');
if (i > 0) {
- // Zero so we don;t leave a zero length name
+ // Zero so we don't leave a zero length name
name = name.substring(0, i);
}
}
- GSSCredential gssCredential = null;
- if (storeCreds && gssContext.getCredDelegState()) {
- try {
- gssCredential = gssContext.getDelegCred();
- } catch (GSSException e) {
- if (log.isDebugEnabled()) {
- log.debug(sm.getString(
- "realmBase.delegatedCredentialFail", name),
- e);
- }
- }
- }
return getPrincipal(name, gssCredential);
}
} else {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index abe97fd..e8704dd 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -47,6 +47,10 @@
<section name="Tomcat 8.5.44 (markt)" rtext="in development">
<subsection name="Catalina">
<changelog>
+ <update>
+ <bug>63627</bug>: Implement more fine-grained handling in
+ <code>RealmBase.authenticate(GSSContext, boolean)</code>. (michaelo)
+ </update>
<add>
<bug>62496</bug>: Add option to write auth information (remote
user/auth type)
to response headers. (michaelo)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
