Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

Sun, 21 Nov 2021 23:39:08 -0800 

Hello,
we are using apache-tomcat-9.0.54 with LDAP authentication under Windows 2012R2.
One of the user complained that access with Firefox stopped working.

Looking into the logs I could find the following message:
                java.lang.IllegalStateException: This credential is no longer 
valid
                               at 
java.security.jgss/sun.security.jgss.GSSCredentialImpl.getRemainingLifetime(GSSCredentialImpl.java:208)
                               at 
org.apache.catalina.connector.Request.getUserPrincipal(Request.java:2659)
                               at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:508)
                               at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
                               at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
                               at 
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
                               at 
org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:312)
                               at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
                               at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
                               at 
org.apache.coyote.http2.StreamProcessor.service(StreamProcessor.java:413)
                               at 
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
                               at 
org.apache.coyote.http2.StreamProcessor.process(StreamProcessor.java:74)
                               at 
org.apache.coyote.http2.StreamRunnable.run(StreamRunnable.java:35)

Looking into the sources of Request.java I can see that the exception is not 
catched and handled:

    public Principal getUserPrincipal() {
        if (userPrincipal instanceof TomcatPrincipal) {
            GSSCredential gssCredential =
                    ((TomcatPrincipal) userPrincipal).getGssCredential();
            if (gssCredential != null) {
                int left = -1;
                try {
                    left = gssCredential.getRemainingLifetime();
                } catch (GSSException e) {
                    log.warn(sm.getString("coyoteRequest.gssLifetimeFail",
                            userPrincipal.getName()), e);
                }
               if (left == 0) {
....

Would it be better to also catch IllegalStateException and instead of checking 
left == 0 to change it to left <= 0 ?

The only possible way to resolve the issue was to delete the browser cache 
including the credentials.

Greetings,
Thomas

Reply via email to