tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 55851] New: Tomcat SPNEGO authenticator incompatible with IBM JDK: Accept Security Context needs to be wrapped around a Privileged Action in order for server side authentication
Date Fri, 06 Dec 2013 08:56:41 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=55851

            Bug ID: 55851
           Summary: Tomcat SPNEGO authenticator incompatible with IBM JDK:
                    Accept Security Context needs to be wrapped around a
                    Privileged Action in order for server side
                    authentication
           Product: Tomcat 7
           Version: 7.0.47
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: arunav.sanyal91@gmail.com

Created attachment 31098
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31098&action=edit
Contains GNU unified diff of SpnegoAuthenticator and its modified format

Hi

Problem report:-

In bug report 55760, a change was made in which system property
javax.security.auth.useSubjectCredsOnly is no longer set to false. So it
naturally follows that GSSAPI AcceptSecContext method is wrapped in a
PrivilegedExceptionAction. It is found in IBM JDK that it fails otherwise.

Cause of failure:-

When IBM JDK tries to fetch credential in GSSAPI AcceptSecContext method, it
does so from JAAS Subject. Since this call is not performed in Subject.doAs,
the call fails as IBM JDK does not have access to a JAAS subject and cannot
fetch a credential.

Please find attached:-

1. File containing gnu unified diff format of SpnegoAuthenticator with its
modified version. PLEASE NOTE THIS DIFF IS ON TOP OF BUG FIX REPORTED IN 55760.
This file now also contains AcceptAction class which wraps GSSAPI
AcceptSecContext as a PrivilegedExceptionAction.

This fix solves the issue by allowing IBM JDK to fetch credential from JAAS
Subject. 

Yours sincerely
Arunav Sanyal

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message