| Summary: | Tomcat SPNEGO authenticator incompatible with IBM JDK in case of Keytab based initiate and accept authentication | ||
|---|---|---|---|
| Product: | Tomcat 7 | Reporter: | Arunav Sanyal <arunav.sanyal91> |
| Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | blocker | CC: | arunav.sanyal91 |
| Priority: | P1 | ||
| Version: | 7.0.35 | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | AIX | ||
| Attachments: |
New source code
Proper format of fix |
||
Hi I am adding an attached fix for complete removal of dependency. Created attachment 31028 [details]
New source code
Proposed patches should be in diff -u format. Hi I am giving the fix in the diff -u format Created attachment 31030 [details]
Proper format of fix
command run:- diff -u SpnegoAuthenticator.java SpnegoAuthenticatorModified.java
Thanks for the updated patch. I have confirmed in my test environment that removing this line does not break SPNEGO authentication so I have applied the patch to trunk and 7.0.x. It will be included in 8.0.0-RC6 and 7.0.48 onwards. |
Hi Our company has a use case in which our domain is a tomcat process. In our code, we support a parallel protocol which uses In memory based jaas configuration - public class OurLoginConfiguration extends Configuration In IBM JDK 7, we need to initiate using keytab which needs the system property javax.security.auth.useSubjectCredsOnly to be set to true for it to work. However Tomcat sets it in Inside SpnegoAuthenticator:- protected void initInternal() throws LifecycleException { super.initInternal(); // Kerberos configuration file location String krb5Conf = System.getProperty(Constants.KRB5_CONF_PROPERTY); if (krb5Conf == null) { // System property not set, use the Tomcat default File krb5ConfFile = new File(Bootstrap.getCatalinaBase(), Constants.DEFAULT_KRB5_CONF); System.setProperty(Constants.KRB5_CONF_PROPERTY, krb5ConfFile.getAbsolutePath()); } // JAAS configuration file location String jaasConf = System.getProperty(Constants.JAAS_CONF_PROPERTY); if (jaasConf == null) { // System property not set, use the Tomcat default File jaasConfFile = new File(Bootstrap.getCatalinaBase(), Constants.DEFAULT_JAAS_CONF); System.setProperty(Constants.JAAS_CONF_PROPERTY, jaasConfFile.getAbsolutePath()); } // This property must be false for SPNEGO to work System.setProperty(Constants.USE_SUBJECT_CREDS_ONLY_PROPERTY, "false"); } as false in the last line which causes havoc in the code. A multithreaded startup causes a breakdown in further authentication for keytab based logging. Now a little more investigation revealed that tomcat acts only as an acceptor. Now this property need not necessarily be set to false for it to work(in both IBM and SUN JDK). Source of claim - http://cr.openjdk.java.net/~weijun/special/krb5winguide-2/raw_files/new/kwin Excerpt:- 2. Direct JGSS: /* JGSS-API calls... */ In this case, the JAAS config file's entry name MUST be the standard entry name (com.sun.security.jgss.krb5.initiate), and you must set -Djavax.security.auth.useSubjectCredsOnly=false on the Java command line. Read [26]http://java.sun.com/javase/6/docs/technotes/guides/security/jgs s/tutorials/BasicClientServer.html for details. Which means only initiate based auth needs the system property. This is also confirmed in IBM with a sample program. PROPOSED FIX: COMMENT LAST LINE OF initInternal WHICH SETS THE SYSTEM PROPERTY IN THE FIRST PLACE AS FALSE.