AW: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

Tue, 23 Nov 2021 11:59:49 -0800 

Short Addendum:

The "destroyed" flag gets set, when the dispose-method of the GSSCredentialImpl 
was invoked.
Currently, I have no clue when and how it happens, but I have seen this problem 
every few months.
So it is only occurring sometimes. Maybe if the Kerberos ticket expires and the 
http session is still alive (?)

Nevertheless, the application should be able to recover from this situation and 
handles it like "not authenticated".

Greetings, 
Thomas


-----Ursprüngliche Nachricht-----
Von: Thomas Hoffmann (Speed4Trade GmbH) 
<thomas.hoffm...@speed4trade.com.INVALID> 
Gesendet: Dienstag, 23. November 2021 20:51
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: AW: Authentication with Browser stopped working / missing exception 
handling in getRemainingLifetime

Hello Mike,

I checked the last Java 17 Sources, the illegalStateException is still there:
https://github.com/openjdk/jdk/blob/jdk-17%2B35/src/java.security.jgss/share/classes/sun/security/jgss/GSSCredentialImpl.java

    public int getRemainingLifetime() throws GSSException {

        if (destroyed) {
            throw new IllegalStateException("This credential is " +
                                        "no longer valid");
        }
...

Latest Java 18 Code looks the same.

I agree, that there are better ways to tell the caller about the invalid 
Kerberos ticket status.
IllegalStateException is a runtime exception whereas the method only declares a 
checked GSSException which is maybe not the best way to design this method.

If somebody has good connections to the Java developers, maybe he/she can 
trigger an improvement. Unfortunately it might break the compatibility to other 
tools if a checked exception is used.

Btw: you are right, the authentication is done via Kerberos. For role 
assignment, LDAP is used in combination in our case.

Thanks!
Thomas


-----Ursprüngliche Nachricht-----
Von: Michael B Allen <iop...@gmail.com>
Gesendet: Dienstag, 23. November 2021 17:32
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: Re: Authentication with Browser stopped working / missing exception 
handling in getRemainingLifetime

On Mon, Nov 22, 2021 at 2:39 AM Thomas Hoffmann (Speed4Trade GmbH) 
<thomas.hoffm...@speed4trade.com.invalid> wrote:
> Would it be better to also catch IllegalStateException and instead of 
> checking left == 0 to change it to left <= 0 ?

I would argue that this is a bug in JGSS. JGSS has been a comedy of errors over 
the years. I thought it had mostly stabilized over the last 5-10 years but this 
is a good example of the sort of bad behavior from that lib. Throwing an 
IllegalStateException there is a bad API choice. I have to wonder if that was 
not the designers intention. The getRemainingLifetime API documentation does 
not say anything about it throwing an IllegalStateException when your cred 
expires. You might want to try the latest JRE if you're using something old. Or 
maybe there's something screwy about the cred and it's tripping up an 
unexpected code path. I assume you mean Kerberos and not LDAP BTW.

But I think the only real short term solution for now would be to catch the 
IllegalStateException and just set left = 0.

Mike

--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  
X  ܚX KK[XZ[
 \ \  ][  X  ܚX P X ]
 \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[ X ]
 \X K ܙ B

Reply via email to