Bug 63627

Summary: Implement more fine-grained handling in RealmBase#authenticate(GSSContext, boolean)
Product: Tomcat 8 Reporter: Michael Osipov <michaelo>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: enhancement    
Priority: P2    
Version: 8.5.x-trunk   
Target Milestone: ----   
Hardware: All   
OS: All   

Description Michael Osipov 2019-08-02 11:37:29 UTC
We maintain a custom RealmBase#authenticate(GSSContext, boolean) implementation because the given one as a few shortcomings I'd like to address this in a PR:

* Move stripping right before #getPrincipal() to log a fully qualified GSS name
* Issue a warning instead of a debug if #getDelegCred() has failed. Justification: the context indicates that there is a credential and the developer has configured to store them, but this failed. A debug will be unnoticed in a production system. The admin should see this and take action.
* If storeCreds is requested, but the credentials arent't log this in debug for traceability.

Custom impl: http://tomcatspnegoad.sourceforge.net/xref/net/sf/michaelo/tomcat/realm/ActiveDirectoryRealm.html#L229
Comment 1 Michael Osipov 2019-08-05 12:39:40 UTC
Fixed in:
- master for 9.0.23 onwards
- 8.5.x for 8.5.44 onwards
- 7.0.x for 7.0.97 onwards