Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-8830

org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors

    Details

    • Type: Bug
    • Status: Patch Available
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 2.0.1-alpha, 2.1.0-beta, 2.1.1-beta, 2.2.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      AuthenticationFilter.doFilter is called twice (not sure if that is intentional or not).

      The second time it is called the ServletRequest is already authenticated, i.e. httpRequest.getRemoteUser() returns non-null info.

      If the kerberos authentication is triggered a second time it'll return a replay attack exception.

      I solved this by adding a if (httpRequest.getRemoteUser() == null) at the very beginning of doFilter.

      Alternatively one can set an attribute on the request, or figure out why doFilter is called twice.

        Attachments

        1. HADOOP-8830.20131026.1.patch
          3 kB
          Omkar Vinit Joshi
        2. HADOOP-8830.20131027.1.patch
          6 kB
          Omkar Vinit Joshi

          Issue Links

            Activity

              People

              • Assignee:
                ojoshi Omkar Vinit Joshi
                Reporter:
                moritzmoeller Moritz Moeller
              • Votes:
                3 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated: