Hello, we are using apache-tomcat-9.0.54 with LDAP authentication under Windows 2012R2. One of the user complained that access with Firefox stopped working.
Looking into the logs I could find the following message: java.lang.IllegalStateException: This credential is no longer valid at java.security.jgss/sun.security.jgss.GSSCredentialImpl.getRemainingLifetime(GSSCredentialImpl.java:208) at org.apache.catalina.connector.Request.getUserPrincipal(Request.java:2659) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:508) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:312) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) at org.apache.coyote.http2.StreamProcessor.service(StreamProcessor.java:413) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.http2.StreamProcessor.process(StreamProcessor.java:74) at org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35) Looking into the sources of Request.java I can see that the exception is not catched and handled: public Principal getUserPrincipal() { if (userPrincipal instanceof TomcatPrincipal) { GSSCredential gssCredential = ((TomcatPrincipal) userPrincipal).getGssCredential(); if (gssCredential != null) { int left = -1; try { left = gssCredential.getRemainingLifetime(); } catch (GSSException e) { log.warn(sm.getString("coyoteRequest.gssLifetimeFail", userPrincipal.getName()), e); } if (left == 0) { .... Would it be better to also catch IllegalStateException and instead of checking left == 0 to change it to left <= 0 ? The only possible way to resolve the issue was to delete the browser cache including the credentials. Greetings, Thomas