[
https://issues.apache.org/jira/browse/HADOOP-8883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13807596#comment-13807596
]
Andrey Klochkov commented on HADOOP-8883:
-----------------------------------------
Actually JDK does not allow to read the content of "Authorization" request
property so this fix doesn't change the behavior.
Here's an extract from OpenJDK 1.7 sources. OpenJDK 1.6 is similar. My
experiments with Oracle JDK7 shows the same behavior (the property is not
available to the user).
{code}
249 // the following http request headers should NOT have their values
250 // returned for security reasons.
251 private static final String[] EXCLUDE_HEADERS = {
252 "Proxy-Authorization",
253 "Authorization"
254 };
2709 @Override
2710 public synchronized String getRequestProperty (String key) {
2711 if (key == null) {
2712 return null;
2713 }
2714
2715 // don't return headers containing security sensitive
information
2716 for (int i=0; i < EXCLUDE_HEADERS.length; i++) {
2717 if (key.equalsIgnoreCase(EXCLUDE_HEADERS[i])) {
2718 return null;
2719 }
2720 }
{code}
Should this Jira be re-opened or another one created?
> Anonymous fallback in KerberosAuthenticator is broken
> -----------------------------------------------------
>
> Key: HADOOP-8883
> URL: https://issues.apache.org/jira/browse/HADOOP-8883
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 2.0.3-alpha
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Labels: security
> Fix For: 2.0.3-alpha
>
> Attachments: HADOOP-8883.patch
>
>
> HADOOP-8855 changed KerberosAuthenticator to handle when the JDK did the
> SPNEGO already; but this change broke using the fallback authenticator
> (PseudoAuthenticator) with an anonymous user (see OOZIE-1010).
--
This message was sent by Atlassian JIRA
(v6.1#6144)
