Bug 51099 - SPNEGO loginConfigName does not work
Summary: SPNEGO loginConfigName does not work
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: trunk
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-04-21 05:11 UTC by Mark Thomas
Modified: 2011-05-06 09:39 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Thomas 2011-04-21 05:11:31 UTC
As reported by fhanik on the dev list:

2. com.sun.security.jgss.krb5.accept is not configurable
While the authenticator has the attribute loginConfigName, there seems to be a place in the code where it omits this entry.
renaming this entry in jaas.conf and setting the loginConfigName will fail to validate a ticket

The problem code is here:

            gssContext = manager.createContext(manager.createCredential(null,
                    GSSCredential.DEFAULT_LIFETIME,
                    new Oid("1.3.6.1.5.5.2"),
                    GSSCredential.ACCEPT_ONLY));

should look like
            final GSSManager manager = GSSManager.getInstance();
            final PrivilegedExceptionAction<GSSCredential> action =
                new PrivilegedExceptionAction<GSSCredential>() {
                    public GSSCredential run() throws GSSException {
                        return manager.createCredential(null,
                                GSSCredential.DEFAULT_LIFETIME,
                                new Oid("1.3.6.1.5.5.2"),
                                GSSCredential.ACCEPT_ONLY);
                    }
                };
            gssContext = manager.createContext(Subject.doAs(lc.getSubject(), action));||


best
Filip
Comment 1 Mark Thomas 2011-05-04 21:47:16 UTC
Patch was spot on. Cheers Filip.

Applied to 7.0.x. Will be in 7.0.13 onwards.
Comment 2 Gerard Borst 2011-05-05 17:51:54 UTC
I think it looks very good and I'm very interested because I use a spnego filter at this moment, but I think the JAAS login and the creation of the gssmanager should be in a constructor or in this case possibly in the initInternal. This the JAAS login of the server and should be done only once. At least I think so, maybe I'm wrong, it's a complex subject.

I'm  talking about this part:

            try {
                lc = new LoginContext(getLoginConfigName());
                lc.login();
            } catch (LoginException e) {
                log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"),
                        e);
                response.sendError(
                        HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
                return false;
            }
            // Assume the GSSContext is stateless
            // TODO: Confirm this assumption
            final GSSManager manager = GSSManager.getInstance();

Met vriendelijke groet,

Gerard
Comment 3 Mark Thomas 2011-05-05 18:48:30 UTC
That is a separate issue that does not belong as part of this issue. To be perfectly honest, reports along the lines of "this might be a bug, I'm not sure" are just going to get closed as invalid.
Comment 4 Gerard Borst 2011-05-06 09:39:54 UTC
Just trying to help.