This is an automated email from the ASF dual-hosted git repository. michaelo pushed a commit to branch BZ-63627/tomcat-9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit feabfd9554f115e3892aa179231039e0ca714079 Author: Michael Osipov <micha...@apache.org> AuthorDate: Fri Aug 2 14:09:02 2019 +0200 BZ 63627: Implement more fine-grained handling in RealmBase#authenticate(GSSContext, boolean) --- .../apache/catalina/realm/LocalStrings.properties | 3 ++- java/org/apache/catalina/realm/RealmBase.java | 31 +++++++++++++--------- webapps/docs/changelog.xml | 4 +++ 3 files changed, 24 insertions(+), 14 deletions(-) diff --git a/java/org/apache/catalina/realm/LocalStrings.properties b/java/org/apache/catalina/realm/LocalStrings.properties index a390fb5..1cb2407 100644 --- a/java/org/apache/catalina/realm/LocalStrings.properties +++ b/java/org/apache/catalina/realm/LocalStrings.properties @@ -102,7 +102,8 @@ realmBase.cannotGetRoles=Cannot get roles from principal [{0}] realmBase.createUsernameRetriever.ClassCastException=Class [{0}] is not an X509UsernameRetriever. realmBase.createUsernameRetriever.newInstance=Cannot create object of type [{0}]. realmBase.credentialHandler.customCredentialHandler=Unable to set the property [{0}] to value [{1}] as a custom CredentialHandler has been configured -realmBase.delegatedCredentialFail=Unable to obtain delegated credentials for user [{0}] +realmBase.delegatedCredentialFail=Unable to obtain delegated credential for user [{0}] +realmBase.credentialNotDelegated=Credential for user [{0}] has not been delegated though storing was requested realmBase.digest=Error digesting user credentials realmBase.forbidden=Access to the requested resource has been denied realmBase.gotX509Username=Got user name from X509 certificate: [{0}] diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java index 3fde57c..0a0792a 100644 --- a/java/org/apache/catalina/realm/RealmBase.java +++ b/java/org/apache/catalina/realm/RealmBase.java @@ -480,27 +480,32 @@ public abstract class RealmBase extends LifecycleMBeanBase implements Realm { } if (gssName!= null) { + GSSCredential gssCredential = null; + if (storeCreds) { + if (gssContext.getCredDelegState()) { + try { + gssCredential = gssContext.getDelegCred(); + } catch (GSSException e) { + log.warn(sm.getString( + "realmBase.delegatedCredentialFail", gssName), e); + } + } else { + if (log.isDebugEnabled()) { + log.debug(sm.getString( + "realmBase.credentialNotDelegated", gssName)); + } + } + } + String name = gssName.toString(); if (isStripRealmForGss()) { int i = name.indexOf('@'); if (i > 0) { - // Zero so we don;t leave a zero length name + // Zero so we don't leave a zero length name name = name.substring(0, i); } } - GSSCredential gssCredential = null; - if (storeCreds && gssContext.getCredDelegState()) { - try { - gssCredential = gssContext.getDelegCred(); - } catch (GSSException e) { - if (log.isDebugEnabled()) { - log.debug(sm.getString( - "realmBase.delegatedCredentialFail", name), - e); - } - } - } return getPrincipal(name, gssCredential); } } else { diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 2393a89..6c58399 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -47,6 +47,10 @@ <section name="Tomcat 9.0.23 (markt)" rtext="in development"> <subsection name="Catalina"> <changelog> + <update> + <bug>63627</bug>: Implement more fine-grained handling in + <code>RealmBase.authenticate(GSSContext, boolean)</code>. (michaelo) + </update> <add> <bug>62496</bug>: Add option to write auth information (remote user/auth type) to response headers. (michaelo) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org