From 074a73253ead0ddf5de839425f2139dee2d4b93b Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Wed, 4 May 2011 21:47:09 +0000
Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51099
 Get loginConfigName working with non-default values Patch by fhanik (plus
 some minor code clean-up)

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1099615 13f79535-47bb-0310-9956-ffa450edef68
---
 .../catalina/authenticator/LocalStrings.properties |  2 +-
 .../authenticator/SpnegoAuthenticator.java         | 29 ++++++++++++++++------
 webapps/docs/changelog.xml                         |  5 ++++
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/LocalStrings.properties b/java/org/apache/catalina/authenticator/LocalStrings.properties
index 05c75a586..fbdb397b9 100644
--- a/java/org/apache/catalina/authenticator/LocalStrings.properties
+++ b/java/org/apache/catalina/authenticator/LocalStrings.properties
@@ -37,4 +37,4 @@ spnegoAuthenticator.authHeaderNoToken=The Negotiate authorization header sent by
 spnegoAuthenticator.authHeaderNotNego=The authorization header sent by the client did not start with Negotiate
 spnegoAuthenticator.hostnameFail=Unable to determine the host name to construct the default SPN. Please set the spn attribute of the authenticator.
 spnegoAuthenticator.serviceLoginFail=Unable to login as the service principal
-spnegoAuthenticator.ticketValidateFail=Failed to validate client supplied ticket
\ No newline at end of file
+spnegoAuthenticator.ticketValidateFail=Failed to validate client supplied ticket
diff --git a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
index a6389b1a1..3c36c6ab3 100644
--- a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
@@ -19,7 +19,10 @@ package org.apache.catalina.authenticator;
 import java.io.File;
 import java.io.IOException;
 import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 
+import javax.security.auth.Subject;
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
 import javax.servlet.http.HttpServletResponse;
@@ -189,7 +192,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
         byte[] outToken = null;
         try {
             try {
-                lc = new LoginContext(loginConfigName);
+                lc = new LoginContext(getLoginConfigName());
                 lc.login();
             } catch (LoginException e) {
                 log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"),
@@ -200,11 +203,18 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
             }
             // Assume the GSSContext is stateless
             // TODO: Confirm this assumption
-            GSSManager manager = GSSManager.getInstance();
-            gssContext = manager.createContext(manager.createCredential(null,
-                    GSSCredential.DEFAULT_LIFETIME,
-                    new Oid("1.3.6.1.5.5.2"),
-                    GSSCredential.ACCEPT_ONLY));
+            final GSSManager manager = GSSManager.getInstance();
+            final PrivilegedExceptionAction<GSSCredential> action =
+                new PrivilegedExceptionAction<GSSCredential>() {
+                    @Override
+                    public GSSCredential run() throws GSSException {
+                        return manager.createCredential(null,
+                                GSSCredential.DEFAULT_LIFETIME,
+                                new Oid("1.3.6.1.5.5.2"),
+                                GSSCredential.ACCEPT_ONLY);
+                    }
+                };
+            gssContext = manager.createContext(Subject.doAs(lc.getSubject(), action));
 
             outToken = gssContext.acceptSecContext(decoded.getBytes(),
                     decoded.getOffset(), decoded.getLength());
@@ -221,7 +231,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
             }
 
             principal = context.getRealm().authenticate(gssContext,
-                    storeDelegatedCredential);
+                    isStoreDelegatedCredential());
         } catch (GSSException e) {
             if (log.isDebugEnabled()) {
                 log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail",
@@ -230,6 +240,11 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
             response.setHeader("WWW-Authenticate", "Negotiate");
             response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
             return false;
+        } catch (PrivilegedActionException e) {
+            log.error(sm.getString("spnegoAuthenticator.serviceLoginFail", e));
+            response.setHeader("WWW-Authenticate", "Negotiate");
+            response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+            return false;
         } finally {
             if (gssContext != null) {
                 try {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c446855dc..762b5a3c6 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -94,6 +94,11 @@
         Add a container event that is fired when a session&apos;s ID is changed,
         e.g. on authentication. (markt)
       </add>
+      <fix>
+        <bug>51099</bug>: Correctly implement non-default login configurations
+        (configured via the loginConfigName attribute) for the the SPNEGO
+        authenticator. (fhanik/markt)
+      </fix>
       <add>
         <bug>51119</bug>: Add JAAS authentication support to the
         JMXRemoteLifecycleListener. Patch provided by Neil Laurance. (markt) 
-- 
2.11.0