[jira] [Commented] (HADOOP-8830) org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors

Fri, 15 Mar 2013 08:12:15 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-8830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13603444#comment-13603444
 ] 

Moritz Moeller commented on HADOOP-8830:
----------------------------------------

No, it looks as if 
org.apache.hadoop.security.authentication.server.AuthenticationFilter is added 
twice to the jetty filter chain configuration.
As soon as the authentication succeeds and the AuthenticationFilter calls 
filterChain.doFilter, the AuthenticationFilter is called again. Stack trace 
looks like this:

org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:356)
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:356)
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
org.apache.hadoop.http.HttpServer$QuotingInputFilter.doFilter(HttpServer.java:1075)

The NoCacheFilter servlet is also called twice, but that is probably because it 
is added both in the constructor and in addDefaultApps in 
org.apache.hadoop.http.HttpServer.

Right now (using CDH 4.2.0) i still have to patch the AuthenticationFilter to 
directly call filterChain.doFilter;return if the filter was already called 
before.



                
> org.apache.hadoop.security.authentication.server.AuthenticationFilter might 
> be called twice, causing kerberos replay errors
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-8830
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8830
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.0.1-alpha
>            Reporter: Moritz Moeller
>
> AuthenticationFilter.doFilter is called twice (not sure if that is 
> intentional or not).
> The second time it is called the ServletRequest is already authenticated, 
> i.e. httpRequest.getRemoteUser() returns non-null info.
> If the kerberos authentication is triggered a second time it'll return a 
> replay attack exception.
> I solved this by adding a if (httpRequest.getRemoteUser() == null) at the 
> very beginning of doFilter.
> Alternatively one can set an attribute on the request, or figure out why 
> doFilter is called twice.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to