Bug 51099

Summary: SPNEGO loginConfigName does not work
Product: Tomcat 7 Reporter: Mark Thomas <markt>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: trunk   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Mark Thomas 2011-04-21 05:11:31 UTC
As reported by fhanik on the dev list:

2. com.sun.security.jgss.krb5.accept is not configurable
While the authenticator has the attribute loginConfigName, there seems to be a place in the code where it omits this entry.
renaming this entry in jaas.conf and setting the loginConfigName will fail to validate a ticket

The problem code is here:

            gssContext = manager.createContext(manager.createCredential(null,
                    new Oid(""),

should look like
            final GSSManager manager = GSSManager.getInstance();
            final PrivilegedExceptionAction<GSSCredential> action =
                new PrivilegedExceptionAction<GSSCredential>() {
                    public GSSCredential run() throws GSSException {
                        return manager.createCredential(null,
                                new Oid(""),
            gssContext = manager.createContext(Subject.doAs(lc.getSubject(), action));||

Comment 1 Mark Thomas 2011-05-04 21:47:16 UTC
Patch was spot on. Cheers Filip.

Applied to 7.0.x. Will be in 7.0.13 onwards.
Comment 2 Gerard Borst 2011-05-05 17:51:54 UTC
I think it looks very good and I'm very interested because I use a spnego filter at this moment, but I think the JAAS login and the creation of the gssmanager should be in a constructor or in this case possibly in the initInternal. This the JAAS login of the server and should be done only once. At least I think so, maybe I'm wrong, it's a complex subject.

I'm  talking about this part:

            try {
                lc = new LoginContext(getLoginConfigName());
            } catch (LoginException e) {
                return false;
            // Assume the GSSContext is stateless
            // TODO: Confirm this assumption
            final GSSManager manager = GSSManager.getInstance();

Met vriendelijke groet,

Comment 3 Mark Thomas 2011-05-05 18:48:30 UTC
That is a separate issue that does not belong as part of this issue. To be perfectly honest, reports along the lines of "this might be a bug, I'm not sure" are just going to get closed as invalid.
Comment 4 Gerard Borst 2011-05-06 09:39:54 UTC
Just trying to help.