Bug 63627 - Implement more fine-grained handling in RealmBase#authenticate(GSSContext, boolean)
Summary: Implement more fine-grained handling in RealmBase#authenticate(GSSContext, bo...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.x-trunk
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-02 11:37 UTC by Michael Osipov
Modified: 2019-08-05 12:39 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Osipov 2019-08-02 11:37:29 UTC
We maintain a custom RealmBase#authenticate(GSSContext, boolean) implementation because the given one as a few shortcomings I'd like to address this in a PR:

* Move stripping right before #getPrincipal() to log a fully qualified GSS name
* Issue a warning instead of a debug if #getDelegCred() has failed. Justification: the context indicates that there is a credential and the developer has configured to store them, but this failed. A debug will be unnoticed in a production system. The admin should see this and take action.
* If storeCreds is requested, but the credentials arent't log this in debug for traceability.

Custom impl: http://tomcatspnegoad.sourceforge.net/xref/net/sf/michaelo/tomcat/realm/ActiveDirectoryRealm.html#L229
Comment 1 Michael Osipov 2019-08-05 12:39:40 UTC
Fixed in:
- master for 9.0.23 onwards
- 8.5.x for 8.5.44 onwards
- 7.0.x for 7.0.97 onwards