Bug 55851

Summary: Tomcat SPNEGO authenticator incompatible with IBM JDK: Accept Security Context needs to be wrapped around a Privileged Action in order for server side authentication
Product: Tomcat 7 Reporter: Arunav Sanyal <arunav.sanyal91>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 7.0.47   
Target Milestone: ---   
Hardware: PC   
OS: All   
Attachments: Contains GNU unified diff of SpnegoAuthenticator and its modified format

Description Arunav Sanyal 2013-12-06 08:56:41 UTC
Created attachment 31098 [details]
Contains GNU unified diff of SpnegoAuthenticator and its modified format

Hi

Problem report:-

In bug report 55760, a change was made in which system property javax.security.auth.useSubjectCredsOnly is no longer set to false. So it naturally follows that GSSAPI AcceptSecContext method is wrapped in a PrivilegedExceptionAction. It is found in IBM JDK that it fails otherwise.
 
Cause of failure:-

When IBM JDK tries to fetch credential in GSSAPI AcceptSecContext method, it does so from JAAS Subject. Since this call is not performed in Subject.doAs, the call fails as IBM JDK does not have access to a JAAS subject and cannot fetch a credential.
 
Please find attached:-

1. File containing gnu unified diff format of SpnegoAuthenticator with its modified version. PLEASE NOTE THIS DIFF IS ON TOP OF BUG FIX REPORTED IN 55760. This file now also contains AcceptAction class which wraps GSSAPI AcceptSecContext as a PrivilegedExceptionAction.

This fix solves the issue by allowing IBM JDK to fetch credential from JAAS Subject. 

Yours sincerely
Arunav Sanyal
Comment 1 Mark Thomas 2013-12-06 19:46:47 UTC
Thanks for the patch. A variation of it has been applied to 8.0.x and 7.0.x and will be included in 8.0.0-RC6 and 7.0.48 onwards.

The changes I made were:
- remove @author tag (the ASF strongly discourages their use)
- made the inner class static and private
- added a missing @override

So basically a handful of minor bits and pieces.

Thanks again for the patch.
Comment 2 Arunav Sanyal 2013-12-09 11:23:48 UTC
Thanks

I tried searching for recent changes to SpnegoAuthenticator and I cant seem to find the bug report in which this issue was first reported.

Can you please point me to the bug report in which this fix is made? Or is this a change which is not tracked by ASF bugzilla?

Yours sincerely
Arunav Sanyal
Comment 3 Mark Thomas 2013-12-09 11:26:44 UTC
(In reply to Arunav Sanyal from comment #2)
> Thanks
> 
> I tried searching for recent changes to SpnegoAuthenticator and I cant seem
> to find the bug report in which this issue was first reported.

Huh? This is the bug report in which this issue was first reported.

> Can you please point me to the bug report in which this fix is made? Or is
> this a change which is not tracked by ASF bugzilla?

Huh? Bugzilla is not a source code control system. It doesn't track source code changes? Are you looking for a link to the svn revisions where this issue was fixed?