Return-Path: 
 <dev-return-144206-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-dev-archive@www.apache.org
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 6BF2A1022D
	for <apmail-tomcat-dev-archive@www.apache.org>;
 Fri,  8 Nov 2013 10:16:23 +0000 (UTC)
Received: (qmail 69462 invoked by uid 500); 8 Nov 2013 10:16:21 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 68905 invoked by uid 500); 8 Nov 2013 10:16:16 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 68893 invoked by uid 99); 8 Nov 2013 10:16:15 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Nov 2013 10:16:15 +0000
X-ASF-Spam-Status: No, hits=1.7 required=5.0
	tests=FREEMAIL_ENVFROM_END_DIGIT,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of arunav.sanyal91@gmail.com
 designates 209.85.128.172 as permitted sender)
Received: from [209.85.128.172] (HELO mail-ve0-f172.google.com)
 (209.85.128.172)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Nov 2013 10:16:11 +0000
Received: by mail-ve0-f172.google.com with SMTP id oz11so42663veb.31
        for <dev@tomcat.apache.org>; Fri, 08 Nov 2013 02:15:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=iJiSc1vC35VDY/p6FmSxy1q0zMSq6XYMJyCbMM9yyuw=;
        b=Slb7EiBKkzOBDMlSClwNm7bANvJJfmshLuHlq8A5LhptEF4ZLjQmCOlyvo3kcxvxiq
         6u+g3e49W2pvj6Mo461FzKVkv4hs2BAd7L+LWLF/xsgNObP3KZ2QH7wVgHAQj5BB1Vox
         vzlCmdi7Uf0RgyWGbMNBniSKTE4uNpfSV2oKVRV18N1glsgYP1f4FU55bFUWfacnJ+dO
         rl6ZWpZnSj0ouJG/9+3H1YoAaSGktodVy2eJPzmDsJ5zjBD3BSx+3lj2JMZI+beJ65wG
         nNhpYZee0BQ0RcvjvZievd694mNWNrqdBy0qdpCNykMRFE2a3XJWkxQdB+vw8EOIRDkR
         wAkA==
MIME-Version: 1.0
X-Received: by 10.58.108.196 with SMTP id hm4mr1373420veb.28.1383905750385;
 Fri, 08 Nov 2013 02:15:50 -0800 (PST)
Received: by 10.58.196.133 with HTTP; Fri, 8 Nov 2013 02:15:50 -0800 (PST)
Date: Fri, 8 Nov 2013 15:45:50 +0530
Message-ID: 
 <CAGc_XPJKs7CzsyHphHP3vYJg2hm0zQQrQ0JfcacohpG_E46vqA@mail.gmail.com>
Subject: Issue with SPNEGO authenticator
From: Arunav Sanyal <arunav.sanyal91@gmail.com>
To: dev@tomcat.apache.org
Content-Type: multipart/alternative; boundary=001a11c3b4aca78bd704eaa7aa2a
X-Virus-Checked: Checked by ClamAV on apache.org

--001a11c3b4aca78bd704eaa7aa2a
Content-Type: text/plain; charset=ISO-8859-1

Hi

Our company has a use case in which our domain is a tomcat process. In our
code, we support a parallel protocol which uses In memory based jaas
configuration -

public class OurLoginConfiguration extends Configuration

In IBM JDK 7, we need to initiate using keytab which needs the system
property javax.security.auth.useSubjectCredsOnly to be set to true for it
to work. However Tomcat sets it in

 protected void initInternal() throws LifecycleException {
        super.initInternal();

        // Kerberos configuration file location
        String krb5Conf = System.getProperty(Constants.KRB5_CONF_PROPERTY);
        if (krb5Conf == null) {
            // System property not set, use the Tomcat default
            File krb5ConfFile = new File(Bootstrap.getCatalinaBase(),
                    Constants.DEFAULT_KRB5_CONF);
            System.setProperty(Constants.KRB5_CONF_PROPERTY,
                    krb5ConfFile.getAbsolutePath());
        }

        // JAAS configuration file location
        String jaasConf = System.getProperty(Constants.JAAS_CONF_PROPERTY);
        if (jaasConf == null) {
            // System property not set, use the Tomcat default
            File jaasConfFile = new File(Bootstrap.getCatalinaBase(),
                    Constants.DEFAULT_JAAS_CONF);
            System.setProperty(Constants.JAAS_CONF_PROPERTY,
                    jaasConfFile.getAbsolutePath());
        }

        // This property must be false for SPNEGO to work
        System.setProperty(Constants.USE_SUBJECT_CREDS_ONLY_PROPERTY,
"false");
    }

as false in the last line which causes havoc in the code.

Now a little more investigation revealed that tomcat acts only as an
acceptor. Now this property need not necessarily be set to false for it to
work(in both IBM and SUN JDK).

Source of claim -
http://cr.openjdk.java.net/~weijun/special/krb5winguide-2/raw_files/new/kwin

Excerpt:-

 2. Direct JGSS:

      /* JGSS-API calls... */

       In this case, the JAAS config file's entry name MUST be the
       standard entry name (com.sun.security.jgss.krb5.initiate), and you
       must set -Djavax.security.auth.useSubjectCredsOnly=false on the
       Java command line. Read
       [26]http://java.sun.com/javase/6/docs/technotes/guides/security/jgs
       s/tutorials/BasicClientServer.html for details.


This is also confirmed in IBM with a sample program.

Is it possible to remove the last line of the function. What kind of impact
it will have. I dont envisage a case in which existing functionality can
break.

Yours sincerely

-- 

Arunav Sanyal
Graduate student
B.E (Hons) Computer Science
BITS Pilani K.K Birla Goa Campus

Software Engineer
INFORMATICA BUSINESS SOLUTIONS

--001a11c3b4aca78bd704eaa7aa2a--