[ https://issues.apache.org/jira/browse/HADOOP-8830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14524718#comment-14524718 ]
Hadoop QA commented on HADOOP-8830: ----------------------------------- \\ \\ | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:red}-1{color} | patch | 0m 0s | The patch command could not apply the patch during dryrun. | \\ \\ || Subsystem || Report/Notes || | Patch URL | http://issues.apache.org/jira/secure/attachment/12605624/HADOOP-8830.20131027.1.patch | | Optional Tests | javadoc javac unit findbugs checkstyle | | git revision | trunk / f1a152c | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/6314/console | This message was automatically generated. > org.apache.hadoop.security.authentication.server.AuthenticationFilter might > be called twice, causing kerberos replay errors > --------------------------------------------------------------------------------------------------------------------------- > > Key: HADOOP-8830 > URL: https://issues.apache.org/jira/browse/HADOOP-8830 > Project: Hadoop Common > Issue Type: Bug > Affects Versions: 2.0.1-alpha, 2.1.0-beta, 2.1.1-beta, 2.2.0 > Reporter: Moritz Moeller > Assignee: Omkar Vinit Joshi > Priority: Critical > Attachments: HADOOP-8830.20131026.1.patch, > HADOOP-8830.20131027.1.patch > > > AuthenticationFilter.doFilter is called twice (not sure if that is > intentional or not). > The second time it is called the ServletRequest is already authenticated, > i.e. httpRequest.getRemoteUser() returns non-null info. > If the kerberos authentication is triggered a second time it'll return a > replay attack exception. > I solved this by adding a if (httpRequest.getRemoteUser() == null) at the > very beginning of doFilter. > Alternatively one can set an attribute on the request, or figure out why > doFilter is called twice. -- This message was sent by Atlassian JIRA (v6.3.4#6332)