(tomcat) 03/03: Don't overwrite valid Principal from password callback will null

Thu, 19 Sep 2024 07:18:01 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit db91aa4186446b01f414002a421db05be25fe242
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Sep 19 14:59:04 2024 +0100

    Don't overwrite valid Principal from password callback will null
---
 .../apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java   | 4 +++-
 webapps/docs/changelog.xml                                          | 6 ++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git 
a/java/org/apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java 
b/java/org/apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java
index e95654c4bc..afb0626eaf 100644
--- a/java/org/apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java
+++ b/java/org/apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java
@@ -69,7 +69,9 @@ public class CallbackHandlerImpl implements CallbackHandler, 
Contained {
                 if (callback instanceof CallerPrincipalCallback) {
                     CallerPrincipalCallback cpc = (CallerPrincipalCallback) 
callback;
                     name = cpc.getName();
-                    principal = cpc.getPrincipal();
+                    if (cpc.getPrincipal() != null) {
+                        principal = cpc.getPrincipal();
+                    }
                     subject = cpc.getSubject();
                 } else if (callback instanceof GroupPrincipalCallback) {
                     GroupPrincipalCallback gpc = (GroupPrincipalCallback) 
callback;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c2c359f1f3..3bfc6b30e1 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -132,6 +132,12 @@
         associated with persisting the Jakarta Authentication provider
         configuration. (markt)
       </fix>
+      <fix>
+        When processing Jakarta Authentication callbacks, don't overwrite a
+        Principal obtained from the <code>PasswordValidationCallback</code> 
with
+        <code>null</code> if the <code>CallerPrincipalCallback</code> does not
+        provide a Principal. (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to