Bug 56013 - SpnegoAuthenticator not working in IBM JDK v7 for Kerberos due to incorrect credential lifetime
Summary: SpnegoAuthenticator not working in IBM JDK v7 for Kerberos due to incorrect c...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 7.0.50
Hardware: Other AIX
: P2 major (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-15 10:17 UTC by Arunav Sanyal
Modified: 2014-01-19 19:32 UTC (History)
0 users



Attachments
Unified GNU diff format of SpnegoAuthenticator.java and its updated version (1.89 KB, text/plain)
2014-01-15 10:17 UTC, Arunav Sanyal
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arunav Sanyal 2014-01-15 10:17:00 UTC
Created attachment 31208 [details]
Unified GNU diff format of SpnegoAuthenticator.java and its updated version

Hi

SpnegoAuthenticator is not working with IBM JDK v7. The option GSSCredential.DEFAULT_LIFETIME specified while generating ticket creates the following exception:-

major code: 11, minor code: 0
    major string: General failure, unspecified at GSSAPI level
    minor string: Desired initLifetime zero or less)

However specifying GSSCredential.INDEFINITE_LIFETIME as lifetime of credential resolves the issue. 

I am attaching a patch which optionally chooses cred lifetime as indefinite or default depending on whether the JDK is IBM JDK or Oracle/Sun JDK. This patch is with respect to SpnegoAuthenticator.java of tomcat v 7.0.50

Impact of fix:-

1. If not fixed then Tomcat does not work out of the box for Spnego Authentication(Kerberos) for IBM JDK v7

2. The fix affects only IBM JDK and does not change the execution flow for Oracle/Sun JDK

Yours sincerely
Arunav Sanyal
Comment 1 Mark Thomas 2014-01-19 19:32:43 UTC
Thanks for the patch.

I used a variation of your patch as I made the current vendor information global as it is used elsewhere in the code base.

This has been fixed in 8.0.x for 8.0.0 onwards and in 7.0.x for 7.0.51 onwards.