In SpnegoAuthenticator, we check for request.getUserPrincipal() if it returns a prinicpal we do not do a fresh authentication. This happens even when the GSSCredential returned by GenericPrincipal has remainingLife time less than zero. This causes issues in delegating the credential as the credential is not valid any more. Can we add additional check to reauthenticate when the credental has expired and put GSSCredential in the same session?
Would it be sufficient for your use case if request.getUserPrincipal() returned null if the GSSCredential had expired?
If request.getUserPrinicpal() returns null, then we go on reauthenticate and repopulates a new GSSCrential. However, when we reauthenticate the session also changes. I believe the session changes because changeSessionIdOnAuthentication is true by default, so the we have to reinitialize session(populate some objects just as in case of fresh login onto session) in our application. Can we have request.getUserPrinicipal null and then when a session already exists not create a new session.
When the session ID is changed on authentication that is exactly what happens. The session object remains the same, just the ID changes. There should be no need to populate the session as it remains populated. If you need to update some of your session attributes because the ID has changed, you can use an HttpSessionIdListener. On this basis, it looks like having request.getUserPrincipal() return null if the GSSCredential has expired will be sufficient.
Sure thanks Mark. Can we have this fix soon?
This has been fixed in trunk for 8.0.0-RC6 onwards and 7.0.x for 7.0.48 onwards.