Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 669F4102D3 for ; Mon, 5 Aug 2013 02:53:53 +0000 (UTC) Received: (qmail 80116 invoked by uid 500); 5 Aug 2013 02:53:52 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 80061 invoked by uid 500); 5 Aug 2013 02:53:52 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 80052 invoked by uid 99); 5 Aug 2013 02:53:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Aug 2013 02:53:52 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.115] (HELO eir.zones.apache.org) (140.211.11.115) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Aug 2013 02:53:51 +0000 Received: by eir.zones.apache.org (Postfix, from userid 80) id 013511B69F; Mon, 5 Aug 2013 02:53:30 +0000 (UTC) From: bugzilla@apache.org To: dev@tomcat.apache.org Subject: [Bug 55354] New: JNDIRealm.getPrincipal(context,username,gssCredential) corrupts realm context Date: Mon, 05 Aug 2013 02:53:29 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Tomcat 7 X-Bugzilla-Component: Catalina X-Bugzilla-Version: 7.0.42 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: richard.begg@identity-solutions.com.au X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: dev@tomcat.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org https://issues.apache.org/bugzilla/show_bug.cgi?id=55354 Bug ID: 55354 Summary: JNDIRealm.getPrincipal(context,username,gssCredential) corrupts realm context Product: Tomcat 7 Version: 7.0.42 Hardware: PC Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: richard.begg@identity-solutions.com.au The getPrincipal(context,username,gssCredential) method in JNDIRealm is designed to allow delegated credentials to be applied to the directory server connection as part of SPNEGO authentication. This is done by manipulation of a number of the directory context's environment parameters. However, as currently implemented, these environment parameters are forcibly cleared after the getUser() call regardless of whether the values were even changed (i.e. if isUseDelegatedCredential() returned false). If the container realm is defined to use GSSAPI authentication, only the first SPNEGO authentication request will succeed. All subsequent requests will fail with this exception: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db0 The exception is due to the Context.SECURITY_AUTHENTICATION being cleared by getPrincipal() - resulting in a attempted "simple" bind with no username/password (i.e. anonymous). A workaround is to ensure that the connectionName and connectionPassword parameters are specified in the realm definition - however, if one is using GSSAPI - this shouldn't be necessary and certainly defeats the purpose of using GSSAPI in the first place. The code should preserve pre-existing environment parameters in the context before changing them, then restore those values afterwards - rather than just clearing the settings completely. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org