Bug 55760 - Tomcat SPNEGO authenticator incompatible with IBM JDK in case of Keytab based initiate and accept authentication
Tomcat SPNEGO authenticator incompatible with IBM JDK in case of Keytab based...
Status: RESOLVED FIXED
Product: Tomcat 7
Classification: Unclassified
Component: Catalina
7.0.35
PC AIX
: P1 blocker (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2013-11-08 11:48 UTC by Arunav Sanyal
Modified: 2013-11-11 09:50 UTC (History)
1 user (show)



Attachments
New source code (2.21 KB, patch)
2013-11-09 12:01 UTC, Arunav Sanyal
Details | Diff
Proper format of fix (458 bytes, text/plain)
2013-11-11 06:43 UTC, Arunav Sanyal
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arunav Sanyal 2013-11-08 11:48:18 UTC
Hi

Our company has a use case in which our domain is a tomcat process. In our code, we support a parallel protocol which uses In memory based jaas configuration - 

public class OurLoginConfiguration extends Configuration

In IBM JDK 7, we need to initiate using keytab which needs the system property javax.security.auth.useSubjectCredsOnly to be set to true for it to work. However Tomcat sets it in  

Inside SpnegoAuthenticator:-

 protected void initInternal() throws LifecycleException {
        super.initInternal();

        // Kerberos configuration file location
        String krb5Conf = System.getProperty(Constants.KRB5_CONF_PROPERTY);
        if (krb5Conf == null) {
            // System property not set, use the Tomcat default
            File krb5ConfFile = new File(Bootstrap.getCatalinaBase(),
                    Constants.DEFAULT_KRB5_CONF);
            System.setProperty(Constants.KRB5_CONF_PROPERTY,
                    krb5ConfFile.getAbsolutePath());
        }

        // JAAS configuration file location
        String jaasConf = System.getProperty(Constants.JAAS_CONF_PROPERTY);
        if (jaasConf == null) {
            // System property not set, use the Tomcat default
            File jaasConfFile = new File(Bootstrap.getCatalinaBase(),
                    Constants.DEFAULT_JAAS_CONF);
            System.setProperty(Constants.JAAS_CONF_PROPERTY,
                    jaasConfFile.getAbsolutePath());
        }
        
        // This property must be false for SPNEGO to work
        System.setProperty(Constants.USE_SUBJECT_CREDS_ONLY_PROPERTY, "false");
    }

as false in the last line which causes havoc in the code. A multithreaded startup causes a breakdown in further authentication for keytab based logging.


Now a little more investigation revealed that tomcat acts only as an acceptor. Now this property need not necessarily be set to false for it to work(in both IBM and SUN JDK). 

Source of claim - http://cr.openjdk.java.net/~weijun/special/krb5winguide-2/raw_files/new/kwin

Excerpt:-
 2. Direct JGSS:

      /* JGSS-API calls... */

       In this case, the JAAS config file's entry name MUST be the
       standard entry name (com.sun.security.jgss.krb5.initiate), and you
       must set -Djavax.security.auth.useSubjectCredsOnly=false on the
       Java command line. Read
       [26]http://java.sun.com/javase/6/docs/technotes/guides/security/jgs
       s/tutorials/BasicClientServer.html for details.
Which means only initiate based auth needs the system property.

This is also confirmed in IBM with a sample program.

PROPOSED FIX: COMMENT LAST LINE OF initInternal WHICH SETS THE SYSTEM PROPERTY IN THE FIRST PLACE AS FALSE.
Comment 1 Arunav Sanyal 2013-11-09 10:11:07 UTC
Hi I am adding an attached fix for complete removal of dependency.
Comment 2 Arunav Sanyal 2013-11-09 12:01:01 UTC
Created attachment 31028 [details]
New source code
Comment 3 Mark Thomas 2013-11-10 20:29:59 UTC
Proposed patches should be in diff -u format.
Comment 4 Arunav Sanyal 2013-11-11 06:42:07 UTC
Hi

I am giving the fix in the diff -u format
Comment 5 Arunav Sanyal 2013-11-11 06:43:11 UTC
Created attachment 31030 [details]
Proper format of fix

command run:- diff -u SpnegoAuthenticator.java SpnegoAuthenticatorModified.java
Comment 6 Mark Thomas 2013-11-11 09:50:47 UTC
Thanks for the updated patch.

I have confirmed in my test environment that removing this line does not break SPNEGO authentication so I have applied the patch to trunk and 7.0.x. It will be included in 8.0.0-RC6 and 7.0.48 onwards.