As reported by fhanik on the dev list: 2. com.sun.security.jgss.krb5.accept is not configurable While the authenticator has the attribute loginConfigName, there seems to be a place in the code where it omits this entry. renaming this entry in jaas.conf and setting the loginConfigName will fail to validate a ticket The problem code is here: gssContext = manager.createContext(manager.createCredential(null, GSSCredential.DEFAULT_LIFETIME, new Oid("1.3.6.1.5.5.2"), GSSCredential.ACCEPT_ONLY)); should look like final GSSManager manager = GSSManager.getInstance(); final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() { public GSSCredential run() throws GSSException { return manager.createCredential(null, GSSCredential.DEFAULT_LIFETIME, new Oid("1.3.6.1.5.5.2"), GSSCredential.ACCEPT_ONLY); } }; gssContext = manager.createContext(Subject.doAs(lc.getSubject(), action));|| best Filip
Patch was spot on. Cheers Filip. Applied to 7.0.x. Will be in 7.0.13 onwards.
I think it looks very good and I'm very interested because I use a spnego filter at this moment, but I think the JAAS login and the creation of the gssmanager should be in a constructor or in this case possibly in the initInternal. This the JAAS login of the server and should be done only once. At least I think so, maybe I'm wrong, it's a complex subject. I'm talking about this part: try { lc = new LoginContext(getLoginConfigName()); lc.login(); } catch (LoginException e) { log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"), e); response.sendError( HttpServletResponse.SC_INTERNAL_SERVER_ERROR); return false; } // Assume the GSSContext is stateless // TODO: Confirm this assumption final GSSManager manager = GSSManager.getInstance(); Met vriendelijke groet, Gerard
That is a separate issue that does not belong as part of this issue. To be perfectly honest, reports along the lines of "this might be a bug, I'm not sure" are just going to get closed as invalid.
Just trying to help.