Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51099

author markt <markt@13f79535-47bb-0310-9956-ffa450edef68>

Wed, 4 May 2011 21:47:09 +0000 (21:47 +0000)

committer markt <markt@13f79535-47bb-0310-9956-ffa450edef68>

Wed, 4 May 2011 21:47:09 +0000 (21:47 +0000)
author markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Wed, 4 May 2011 21:47:09 +0000 (21:47 +0000)
committer markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Wed, 4 May 2011 21:47:09 +0000 (21:47 +0000)
diff --git a/java/org/apache/catalina/authenticator/LocalStrings.properties b/java/org/apache/catalina/authenticator/LocalStrings.properties

index 05c75a5..fbdb397 100644 (file)
--- a/java/org/apache/catalina/authenticator/LocalStrings.properties
+++ b/java/org/apache/catalina/authenticator/LocalStrings.properties
@@ -37,4 +37,4 @@ spnegoAuthenticator.authHeaderNoToken=The Negotiate authorization header sent by
  spnegoAuthenticator.authHeaderNotNego=The authorization header sent by the client did not start with Negotiate
  spnegoAuthenticator.hostnameFail=Unable to determine the host name to construct the default SPN. Please set the spn attribute of the authenticator.
  spnegoAuthenticator.serviceLoginFail=Unable to login as the service principal
-spnegoAuthenticator.ticketValidateFail=Failed to validate client supplied ticket
-\ No newline at end of file
+spnegoAuthenticator.ticketValidateFail=Failed to validate client supplied ticket
diff --git a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java

index a6389b1..3c36c6a 100644 (file)
--- a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
@@ -19,7 +19,10 @@ package org.apache.catalina.authenticator;
  import java.io.File;
  import java.io.IOException;
  import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
  
+import javax.security.auth.Subject;
  import javax.security.auth.login.LoginContext;
  import javax.security.auth.login.LoginException;
  import javax.servlet.http.HttpServletResponse;
@@ -189,7 +192,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
          byte[] outToken = null;
          try {
              try {
-                lc = new LoginContext(loginConfigName);
+                lc = new LoginContext(getLoginConfigName());
                  lc.login();
              } catch (LoginException e) {
                  log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"),
@@ -200,11 +203,18 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
              }
              // Assume the GSSContext is stateless
              // TODO: Confirm this assumption
-            GSSManager manager = GSSManager.getInstance();
-            gssContext = manager.createContext(manager.createCredential(null,
-                    GSSCredential.DEFAULT_LIFETIME,
-                    new Oid("1.3.6.1.5.5.2"),
-                    GSSCredential.ACCEPT_ONLY));
+            final GSSManager manager = GSSManager.getInstance();
+            final PrivilegedExceptionAction<GSSCredential> action =
+                new PrivilegedExceptionAction<GSSCredential>() {
+                    @Override
+                    public GSSCredential run() throws GSSException {
+                        return manager.createCredential(null,
+                                GSSCredential.DEFAULT_LIFETIME,
+                                new Oid("1.3.6.1.5.5.2"),
+                                GSSCredential.ACCEPT_ONLY);
+                    }
+                };
+            gssContext = manager.createContext(Subject.doAs(lc.getSubject(), action));
  
              outToken = gssContext.acceptSecContext(decoded.getBytes(),
                      decoded.getOffset(), decoded.getLength());
@@ -221,7 +231,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
              }
  
              principal = context.getRealm().authenticate(gssContext,
-                    storeDelegatedCredential);
+                    isStoreDelegatedCredential());
          } catch (GSSException e) {
              if (log.isDebugEnabled()) {
                  log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail",
@@ -230,6 +240,11 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
              response.setHeader("WWW-Authenticate", "Negotiate");
              response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
              return false;
+        } catch (PrivilegedActionException e) {
+            log.error(sm.getString("spnegoAuthenticator.serviceLoginFail", e));
+            response.setHeader("WWW-Authenticate", "Negotiate");
+            response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+            return false;
          } finally {
              if (gssContext != null) {
                  try {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml

index c446855..762b5a3 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -94,6 +94,11 @@
          Add a container event that is fired when a session&apos;s ID is changed,
          e.g. on authentication. (markt)
        </add>
+      <fix>
+        <bug>51099</bug>: Correctly implement non-default login configurations
+        (configured via the loginConfigName attribute) for the the SPNEGO
+        authenticator. (fhanik/markt)
+      </fix>
        <add>
          <bug>51119</bug>: Add JAAS authentication support to the
          JMXRemoteLifecycleListener. Patch provided by Neil Laurance. (markt)
author	markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
	Wed, 4 May 2011 21:47:09 +0000 (21:47 +0000)
committer	markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
	Wed, 4 May 2011 21:47:09 +0000 (21:47 +0000)
java/org/apache/catalina/authenticator/LocalStrings.properties		patch \| blob \| history
java/org/apache/catalina/authenticator/SpnegoAuthenticator.java		patch \| blob \| history
webapps/docs/changelog.xml		patch \| blob \| history