hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8830) org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors
Date Fri, 27 Sep 2013 22:36:03 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13780514#comment-13780514
] 

Alejandro Abdelnur commented on HADOOP-8830:
--------------------------------------------

servlets or other filters after the AuthenticationFilter should not deal with the auth cookie.
The current contract is as follows:

* if the request passed the AuthenticationFilter, authentication was successful
* the principal of the authenticated user is available via the HttpServletRequest.getAuthType()/getRemoteUser()/getUserPrincipal()
methods

if the filter is called twice is because is twice defined in the filter chain, it should be
once.
                
> org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called
twice, causing kerberos replay errors
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-8830
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8830
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.0.1-alpha, 2.1.0-beta, 2.1.1-beta, 2.1.2-beta
>            Reporter: Moritz Moeller
>            Assignee: Omkar Vinit Joshi
>            Priority: Critical
>         Attachments: HADOOP-8830.20131026.1.patch
>
>
> AuthenticationFilter.doFilter is called twice (not sure if that is intentional or not).
> The second time it is called the ServletRequest is already authenticated, i.e. httpRequest.getRemoteUser()
returns non-null info.
> If the kerberos authentication is triggered a second time it'll return a replay attack
exception.
> I solved this by adding a if (httpRequest.getRemoteUser() == null) at the very beginning
of doFilter.
> Alternatively one can set an attribute on the request, or figure out why doFilter is
called twice.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message