Short Addendum: The "destroyed" flag gets set, when the dispose-method of the GSSCredentialImpl was invoked. Currently, I have no clue when and how it happens, but I have seen this problem every few months. So it is only occurring sometimes. Maybe if the Kerberos ticket expires and the http session is still alive (?)
Nevertheless, the application should be able to recover from this situation and handles it like "not authenticated". Greetings, Thomas -----Ursprüngliche Nachricht----- Von: Thomas Hoffmann (Speed4Trade GmbH) <thomas.hoffm...@speed4trade.com.INVALID> Gesendet: Dienstag, 23. November 2021 20:51 An: Tomcat Users List <users@tomcat.apache.org> Betreff: AW: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime Hello Mike, I checked the last Java 17 Sources, the illegalStateException is still there: https://github.com/openjdk/jdk/blob/jdk-17%2B35/src/java.security.jgss/share/classes/sun/security/jgss/GSSCredentialImpl.java public int getRemainingLifetime() throws GSSException { if (destroyed) { throw new IllegalStateException("This credential is " + "no longer valid"); } ... Latest Java 18 Code looks the same. I agree, that there are better ways to tell the caller about the invalid Kerberos ticket status. IllegalStateException is a runtime exception whereas the method only declares a checked GSSException which is maybe not the best way to design this method. If somebody has good connections to the Java developers, maybe he/she can trigger an improvement. Unfortunately it might break the compatibility to other tools if a checked exception is used. Btw: you are right, the authentication is done via Kerberos. For role assignment, LDAP is used in combination in our case. Thanks! Thomas -----Ursprüngliche Nachricht----- Von: Michael B Allen <iop...@gmail.com> Gesendet: Dienstag, 23. November 2021 17:32 An: Tomcat Users List <users@tomcat.apache.org> Betreff: Re: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime On Mon, Nov 22, 2021 at 2:39 AM Thomas Hoffmann (Speed4Trade GmbH) <thomas.hoffm...@speed4trade.com.invalid> wrote: > Would it be better to also catch IllegalStateException and instead of > checking left == 0 to change it to left <= 0 ? I would argue that this is a bug in JGSS. JGSS has been a comedy of errors over the years. I thought it had mostly stabilized over the last 5-10 years but this is a good example of the sort of bad behavior from that lib. Throwing an IllegalStateException there is a bad API choice. I have to wonder if that was not the designers intention. The getRemainingLifetime API documentation does not say anything about it throwing an IllegalStateException when your cred expires. You might want to try the latest JRE if you're using something old. Or maybe there's something screwy about the cred and it's tripping up an unexpected code path. I assume you mean Kerberos and not LDAP BTW. But I think the only real short term solution for now would be to catch the IllegalStateException and just set left = 0. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB [ X ܚX KK[XZ[ \ \ ][ X ܚX P X ] \X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ \ \ Z[ X ] \X K ܙ B