Return-Path: 
 <common-issues-return-53729-apmail-hadoop-common-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 8381210A8A
	for <apmail-hadoop-common-issues-archive@minotaur.apache.org>;
 Fri, 27 Sep 2013 00:19:03 +0000 (UTC)
Received: (qmail 91532 invoked by uid 500); 27 Sep 2013 00:19:03 -0000
Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org
Received: (qmail 91502 invoked by uid 500); 27 Sep 2013 00:19:03 -0000
Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-issues@hadoop.apache.org>
List-Id: <common-issues.hadoop.apache.org>
Reply-To: common-issues@hadoop.apache.org
Delivered-To: mailing list common-issues@hadoop.apache.org
Received: (qmail 91494 invoked by uid 99); 27 Sep 2013 00:19:03 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Sep 2013 00:19:03 +0000
Date: Fri, 27 Sep 2013 00:19:03 +0000 (UTC)
From: "Alejandro Abdelnur (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.12608441.1348145922227.27700.1380241143170@arcas>
In-Reply-To: <JIRA.12608441.1348145922227@arcas>
References: <JIRA.12608441.1348145922227@arcas>
Subject: [jira] [Commented] (HADOOP-8830)
 org.apache.hadoop.security.authentication.server.AuthenticationFilter might
 be called twice, causing kerberos replay errors
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/HADOOP-8830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13779484#comment-13779484 ] 

Alejandro Abdelnur commented on HADOOP-8830:
--------------------------------------------

I guess I'm missing something here, what would you gain by adding the cookie to the request?
                
> org.apache.hadoop.security.authentication.server.AuthenticationFilter might be called twice, causing kerberos replay errors
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-8830
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8830
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.0.1-alpha
>            Reporter: Moritz Moeller
>
> AuthenticationFilter.doFilter is called twice (not sure if that is intentional or not).
> The second time it is called the ServletRequest is already authenticated, i.e. httpRequest.getRemoteUser() returns non-null info.
> If the kerberos authentication is triggered a second time it'll return a replay attack exception.
> I solved this by adding a if (httpRequest.getRemoteUser() == null) at the very beginning of doFilter.
> Alternatively one can set an attribute on the request, or figure out why doFilter is called twice.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira