Author: markt Date: Tue Sep 30 20:02:20 2014 New Revision: 1628534 URL: http://svn.apache.org/r1628534 Log: Ensure SPNEGO authentication continues to work with the JNDI Realm using delegated credentials with recent Oracle JREs.
Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Propchange: tomcat/tc7.0.x/trunk/ ------------------------------------------------------------------------------ Merged /tomcat/trunk:r1628517 Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java?rev=1628534&r1=1628533&r2=1628534&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java Tue Sep 30 20:02:20 2014 @@ -19,6 +19,7 @@ package org.apache.catalina.authenticato import java.io.File; import java.io.IOException; import java.security.Principal; +import java.security.PrivilegedAction; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; import java.util.regex.Pattern; @@ -30,6 +31,7 @@ import javax.servlet.http.HttpServletRes import org.apache.catalina.Globals; import org.apache.catalina.LifecycleException; +import org.apache.catalina.Realm; import org.apache.catalina.connector.Request; import org.apache.catalina.deploy.LoginConfig; import org.apache.catalina.startup.Bootstrap; @@ -221,6 +223,9 @@ public class SpnegoAuthenticator extends HttpServletResponse.SC_INTERNAL_SERVER_ERROR); return false; } + + Subject subject = lc.getSubject(); + // Assume the GSSContext is stateless // TODO: Confirm this assumption final GSSManager manager = GSSManager.getInstance(); @@ -241,7 +246,7 @@ public class SpnegoAuthenticator extends GSSCredential.ACCEPT_ONLY); } }; - gssContext = manager.createContext(Subject.doAs(lc.getSubject(), action)); + gssContext = manager.createContext(Subject.doAs(subject, action)); outToken = Subject.doAs(lc.getSubject(), new AcceptAction(gssContext, decoded)); @@ -256,8 +261,9 @@ public class SpnegoAuthenticator extends return false; } - principal = context.getRealm().authenticate(gssContext, - isStoreDelegatedCredential()); + principal = Subject.doAs(subject, new AuthenticateAction( + context.getRealm(), gssContext, storeDelegatedCredential)); + } catch (GSSException e) { if (log.isDebugEnabled()) { log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"), e); @@ -339,4 +345,24 @@ public class SpnegoAuthenticator extends 0, decoded.length); } } + + + private static class AuthenticateAction implements PrivilegedAction<Principal> { + + private final Realm realm; + private final GSSContext gssContext; + private final boolean storeDelegatedCredential; + + public AuthenticateAction(Realm realm, GSSContext gssContext, + boolean storeDelegatedCredential) { + this.realm = realm; + this.gssContext = gssContext; + this.storeDelegatedCredential = storeDelegatedCredential; + } + + @Override + public Principal run() { + return realm.authenticate(gssContext, storeDelegatedCredential); + } + } } Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1628534&r1=1628533&r2=1628534&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Tue Sep 30 20:02:20 2014 @@ -56,6 +56,15 @@ issues to not "pop up" wrt. others). --> <section name="Tomcat 7.0.57 (violetagg)"> + <subsection name="Catalina"> + <changelog> + <fix> + <bug>57022</bug>: Ensure SPNEGO authentication continues to work with + the JNDI Realm using delegated credentials with recent Oracle JREs. + (markt) + </fix> + </changelog> + </subsection> <subsection name="Web applications"> <changelog> <fix> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org