Bug 55851 - Tomcat SPNEGO authenticator incompatible with IBM JDK: Accept Security Context needs to be wrapped around a Privileged Action in order for server side authentication
Summary: Tomcat SPNEGO authenticator incompatible with IBM JDK: Accept Security Contex...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 7.0.47
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-06 08:56 UTC by Arunav Sanyal
Modified: 2013-12-09 11:26 UTC (History)
0 users


Attachments
Contains GNU unified diff of SpnegoAuthenticator and its modified format (1.25 KB, text/plain)
2013-12-06 08:56 UTC, Arunav Sanyal 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arunav Sanyal 2013-12-06 08:56:41 UTC 
Created attachment 31098 [details]
Contains GNU unified diff of SpnegoAuthenticator and its modified format

Hi

Problem report:-

In bug report 55760, a change was made in which system property javax.security.auth.useSubjectCredsOnly is no longer set to false. So it naturally follows that GSSAPI AcceptSecContext method is wrapped in a PrivilegedExceptionAction. It is found in IBM JDK that it fails otherwise.
 
Cause of failure:-

When IBM JDK tries to fetch credential in GSSAPI AcceptSecContext method, it does so from JAAS Subject. Since this call is not performed in Subject.doAs, the call fails as IBM JDK does not have access to a JAAS subject and cannot fetch a credential.
 
Please find attached:-

1. File containing gnu unified diff format of SpnegoAuthenticator with its modified version. PLEASE NOTE THIS DIFF IS ON TOP OF BUG FIX REPORTED IN 55760. This file now also contains AcceptAction class which wraps GSSAPI AcceptSecContext as a PrivilegedExceptionAction.

This fix solves the issue by allowing IBM JDK to fetch credential from JAAS Subject. 

Yours sincerely
Arunav Sanyal
Comment 1 Mark Thomas 2013-12-06 19:46:47 UTC 
Thanks for the patch. A variation of it has been applied to 8.0.x and 7.0.x and will be included in 8.0.0-RC6 and 7.0.48 onwards.

The changes I made were:
- remove @author tag (the ASF strongly discourages their use)
- made the inner class static and private
- added a missing @override

So basically a handful of minor bits and pieces.

Thanks again for the patch.
Comment 2 Arunav Sanyal 2013-12-09 11:23:48 UTC 
Thanks

I tried searching for recent changes to SpnegoAuthenticator and I cant seem to find the bug report in which this issue was first reported.

Can you please point me to the bug report in which this fix is made? Or is this a change which is not tracked by ASF bugzilla?

Yours sincerely
Arunav Sanyal
Comment 3 Mark Thomas 2013-12-09 11:26:44 UTC 
(In reply to Arunav Sanyal from comment #2)
> Thanks
> 
> I tried searching for recent changes to SpnegoAuthenticator and I cant seem
> to find the bug report in which this issue was first reported.

Huh? This is the bug report in which this issue was first reported.

> Can you please point me to the bug report in which this fix is made? Or is
> this a change which is not tracked by ASF bugzilla?

Huh? Bugzilla is not a source code control system. It doesn't track source code changes? Are you looking for a link to the svn revisions where this issue was fixed?