Bug 55804 - SPNEGOAUTHENTICATOR - GSSCredential does not get renewed after RemainingLifeTime is less than zero
Summary: SPNEGOAUTHENTICATOR - GSSCredential does not get renewed after RemainingLifeT...
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 7.0.47
Hardware: PC All
: P2 critical (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2013-11-20 19:23 UTC by Sachin Kumar
Modified: 2013-11-29 19:31 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Sachin Kumar 2013-11-20 19:23:11 UTC
In SpnegoAuthenticator, we check for request.getUserPrincipal() if it returns a prinicpal we do not do a fresh authentication. This happens even when the GSSCredential returned by GenericPrincipal has remainingLife time less than zero. This causes issues in delegating the credential as the credential is not valid any more.

Can we add additional check to reauthenticate when the credental has expired and put GSSCredential in the same session?
Comment 1 Mark Thomas 2013-11-21 00:03:38 UTC
Would it be sufficient for your use case if request.getUserPrincipal() returned null if the GSSCredential had expired?
Comment 2 Sachin Kumar 2013-11-23 13:00:10 UTC
If request.getUserPrinicpal() returns null, then we go on reauthenticate and repopulates a new GSSCrential. However, when we reauthenticate the session also changes. I believe the session changes because changeSessionIdOnAuthentication is true by default, so the we have to reinitialize session(populate some objects just as in case of fresh login onto session) in our application.  Can we have request.getUserPrinicipal null and then when a session already exists not create a new session.
Comment 3 Mark Thomas 2013-11-27 17:21:51 UTC
When the session ID is changed on authentication that is exactly what happens. The session object remains the same, just the ID changes. There should be no need to populate the session as it remains populated.

If you need to update some of your session attributes because the ID has changed, you can use an HttpSessionIdListener.

On this basis, it looks like having request.getUserPrincipal() return null if the GSSCredential has expired will be sufficient.
Comment 4 Sachin Kumar 2013-11-29 04:00:32 UTC
Sure thanks Mark. Can we have this fix soon?
Comment 5 Mark Thomas 2013-11-29 19:31:17 UTC
This has been fixed in trunk for 8.0.0-RC6 onwards and 7.0.x for 7.0.48 onwards.