Bug 55570 - SpnegoAuthenticator: Resource file is missing placeholders for exceptions.
Summary: SpnegoAuthenticator: Resource file is missing placeholders for exceptions.
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 7.0.29
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-19 12:48 UTC by Sander
Modified: 2013-09-24 06:27 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sander 2013-09-19 12:48:43 UTC
In java/org/apache/catalina/authenticator/SpnegoAuthenticator.java problems are logged with an exception. The exception does not show up in the logging. The exception only shows up if I hack java/org/apache/catalina/authenticator/LocalStrings.properties in catalina.jar, and add a placeholder.


REPRODUCE:
- Configure SP-NEGO with Kerberos.
- Mess up your principal in com.sun.security.jgss.krb5.accept in jaas.config.
- Try to login. 
- See that you get something like:
FINE [org.apache.catalina.authenticator.SpnegoAuthenticator authenticate] Failed to validate client supplied ticket 

FIX:
In java/org/apache/catalina/authenticator/LocalStrings.properties please add [{0}] to the following lines:
spnegoAuthenticator.ticketValidateFail=Failed to validate client supplied ticket
spnegoAuthenticator.serviceLoginFail=Unable to login as the service principal
In SpnegoAuthenticator.java you can verify that exceptions are indeed passed to the log.

VALIDATE:
- Reproduce again
- See that you now get
Failed to validate client supplied ticket [GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)] 

The exception is not super-helpful, but at least it's something.
Comment 1 Mark Thomas 2013-09-19 15:03:53 UTC
The problem is not that the message is missing the placeholder but that the exception argument is in the wrong place. It should be being passed to the log.xxxx method so the full strack trace appears in the logs.

This has been fixed in 8.0.x for 8.0.0-RC3 onwards and 7.0.x for 7.0.43 onwards.
Comment 2 Sander 2013-09-24 06:27:38 UTC
thanks!