This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 6c60ed7ebd Remove work around that is no longer required
6c60ed7ebd is described below
commit 6c60ed7ebda02fc7989adf2926daa428b178d8dd
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Apr 29 14:12:58 2026 +0100
Remove work around that is no longer required
---
.../authenticator/SpnegoAuthenticator.java | 192 ++-------------------
webapps/docs/config/valve.xml | 12 +-
2 files changed, 23 insertions(+), 181 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
index f7beeedb79..2c93e3eedd 100644
--- a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
@@ -20,7 +20,6 @@ import java.io.File;
import java.io.IOException;
import java.security.Principal;
import java.util.Base64;
-import java.util.LinkedHashMap;
import java.util.concurrent.CompletionException;
import java.util.regex.Pattern;
@@ -93,14 +92,29 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
}
}
- private boolean applyJava8u40Fix = true;
-
+ /**
+ * This attribute is now hard-coded to {@code false} as the work-around
this attribute enabled is no longer
+ * required.
+ *
+ * @return Always {@code false}
+ *
+ * @deprecated This method will be removed from Tomcat 12 onwards.
+ */
+ @Deprecated
public boolean getApplyJava8u40Fix() {
- return applyJava8u40Fix;
+ return false;
}
+ /**
+ * This method is now a NO-OP as the work-around this attribute enabled is
no longer required.
+ *
+ * @param applyJava8u40Fix Ignored
+ *
+ * @deprecated This method will be removed from Tomcat 12 onwards.
+ */
+ @Deprecated
public void setApplyJava8u40Fix(boolean applyJava8u40Fix) {
- this.applyJava8u40Fix = applyJava8u40Fix;
+ // NO-OP
}
@@ -179,10 +193,6 @@ public class SpnegoAuthenticator extends AuthenticatorBase
{
authorizationBC.getLength());
byte[] decoded = Base64.getDecoder().decode(encoded);
- if (getApplyJava8u40Fix()) {
- SpnegoTokenFixer.fix(decoded);
- }
-
if (decoded.length == 0) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("spnegoAuthenticator.authHeaderNoToken"));
@@ -304,168 +314,4 @@ public class SpnegoAuthenticator extends
AuthenticatorBase {
MessageBytes authorizationHeader =
request.getCoyoteRequest().getMimeHeaders().getValue("authorization");
return authorizationHeader != null &&
authorizationHeader.startsWithIgnoreCase("negotiate ", 0);
}
-
-
- /**
- * This class implements a hack around an incompatibility between the
SPNEGO implementation in Windows and the
- * SPNEGO implementation in Java 8 update 40 onwards. It was introduced by
the change to fix this bug:
- * <a
href="https://bugs.openjdk.java.net/browse/JDK-8048194";>JDK-8048194</a> (note:
the change applied is not the
- * one suggested in the bug report)
- * <p>
- * It is not clear to me if Windows, Java or Tomcat is at fault here. I
think it is Java, but I could be wrong.
- * <p>
- * This hack works by re-ordering the list of mechTypes in the
NegTokenInit token.
- */
- public static class SpnegoTokenFixer {
-
- public static void fix(byte[] token) {
- SpnegoTokenFixer fixer = new SpnegoTokenFixer(token);
- fixer.fix();
- }
-
-
- private final byte[] token;
- private int pos = 0;
-
-
- private SpnegoTokenFixer(byte[] token) {
- this.token = token;
- }
-
-
- // Fixes the token in-place
- private void fix() {
- /*
- * Useful references: http://tools.ietf.org/html/rfc4121#page-5
http://tools.ietf.org/html/rfc2743#page-81
- * https://msdn.microsoft.com/en-us/library/ms995330.aspx
- */
-
- // Scan until we find the mech types list. If we find anything
- // unexpected, abort the fix process.
- if (!tag(0x60)) {
- return;
- }
- if (!length()) {
- return;
- }
- if (!oid("1.3.6.1.5.5.2")) {
- return;
- }
- if (!tag(0xa0)) {
- return;
- }
- if (!length()) {
- return;
- }
- if (!tag(0x30)) {
- return;
- }
- if (!length()) {
- return;
- }
- if (!tag(0xa0)) {
- return;
- }
- lengthAsInt();
- if (!tag(0x30)) {
- return;
- }
- // Now at the start of the mechType list.
- // Read the mechTypes into an ordered set
- int mechTypesLen = lengthAsInt();
- int mechTypesStart = pos;
- LinkedHashMap<String,int[]> mechTypeEntries = new
LinkedHashMap<>();
- while (pos < mechTypesStart + mechTypesLen) {
- int[] value = new int[2];
- value[0] = pos;
- String key = oidAsString();
- value[1] = pos - value[0];
- mechTypeEntries.put(key, value);
- }
- // Now construct the re-ordered mechType list
- byte[] replacement = new byte[mechTypesLen];
- int replacementPos = 0;
-
- int[] first = mechTypeEntries.remove("1.2.840.113554.1.2.2");
- if (first != null) {
- System.arraycopy(token, first[0], replacement, replacementPos,
first[1]);
- replacementPos += first[1];
- }
- for (int[] markers : mechTypeEntries.values()) {
- System.arraycopy(token, markers[0], replacement,
replacementPos, markers[1]);
- replacementPos += markers[1];
- }
-
- // Finally, replace the original mechType list with the re-ordered
- // one.
- System.arraycopy(replacement, 0, token, mechTypesStart,
mechTypesLen);
- }
-
-
- private boolean tag(int expected) {
- return (token[pos++] & 0xFF) == expected;
- }
-
-
- private boolean length() {
- // No need to retain the length - just need to consume it and make
- // sure it is valid.
- int len = lengthAsInt();
- return pos + len == token.length;
- }
-
-
- private int lengthAsInt() {
- int len = token[pos++] & 0xFF;
- if (len > 127) {
- int bytes = len - 128;
- len = 0;
- for (int i = 0; i < bytes; i++) {
- len = len << 8;
- len = len + (token[pos++] & 0xff);
- }
- }
- return len;
- }
-
-
- private boolean oid(String expected) {
- return expected.equals(oidAsString());
- }
-
-
- private String oidAsString() {
- if (!tag(0x06)) {
- return null;
- }
- StringBuilder result = new StringBuilder();
- int len = lengthAsInt();
- // First byte is special case
- int v = token[pos++] & 0xFF;
- int c2 = v % 40;
- int c1 = (v - c2) / 40;
- result.append(c1);
- result.append('.');
- result.append(c2);
- int c = 0;
- boolean write = false;
- for (int i = 1; i < len; i++) {
- int b = token[pos++] & 0xFF;
- if (b > 127) {
- b -= 128;
- } else {
- write = true;
- }
- c = c << 7;
- c += b;
- if (write) {
- result.append('.');
- result.append(c);
- c = 0;
- write = false;
- }
- }
- return result.toString();
- }
- }
}
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index 30890279a0..ec00e39570 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -2187,14 +2187,10 @@
</attribute>
<attribute name="applyJava8u40Fix" required="false">
- <p>A fix introduced in Java 8 update 40 (
- <a
href="https://bugs.openjdk.java.net/browse/JDK-8048194";>JDK-8048194</a>)
- onwards broke SPNEGO authentication for IE with Tomcat running on
- Windows 2008 R2 servers. This option enables a work-around that allows
- SPNEGO authentication to continue working. The work-around should not
- impact other configurations so it is enabled by default. If necessary,
- the workaround can be disabled by setting this attribute to
- <code>false</code>.</p>
+ <p>This attribute is hard-coded to <code>false</code> as the work
around
+ it enabled is no longer required. The attribute will be removed from
+ Tomcat 12 onwards. Any attempt to set the attribute will be ignored.
+ </p>
</attribute>
<attribute name="cache" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
