This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 99e3403b0d Fix credential validation when JNDIRealm is configured to
use GSSAPI
99e3403b0d is described below
commit 99e3403b0dc814d4a8a13268e98073d585e9c129
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Feb 19 17:11:47 2025 +0000
Fix credential validation when JNDIRealm is configured to use GSSAPI
Enable the validation of credentials provided to
HttpServletRequest.login(String username, String password)
---
java/org/apache/catalina/realm/JNDIRealm.java | 7 +++++++
webapps/docs/changelog.xml | 5 +++++
webapps/docs/config/realm.xml | 11 ++++++++---
3 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index 8bb9868a4d..c6d41b9e95 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1840,10 +1840,15 @@ public class JNDIRealm extends RealmBase {
}
boolean validated = false;
+ Hashtable<?, ?> preservedEnvironment = context.getEnvironment();
// Elicit an LDAP bind operation using the provided user credentials
try {
userCredentialsAdd(context, dn, credentials);
+ // Need to make sure GSSAPI SASL authentication is not used if
configured
+ if
(AUTHENTICATION_NAME_GSSAPI.equals(preservedEnvironment.get(Context.SECURITY_AUTHENTICATION)))
{
+ context.removeFromEnvironment(Context.SECURITY_AUTHENTICATION);
+ }
if (containerLog.isTraceEnabled()) {
containerLog.trace(" binding as " + dn);
}
@@ -1854,6 +1859,8 @@ public class JNDIRealm extends RealmBase {
containerLog.trace(" bind attempt failed");
}
} finally {
+ // Restore GSSAPI SASL if previously configured
+ restoreEnvironmentParameter(context,
Context.SECURITY_AUTHENTICATION, preservedEnvironment);
userCredentialsRemove(context);
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e4348106aa..be1b259ff8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -154,6 +154,11 @@
Improve the mechanism for detecting whether a web application has been
deployed to a case sensitive or a case insensitive file system. (markt)
</fix>
+ <fix>
+ Enable the JNDIRealm to validate credentials provided to
+ <code>HttpServletRequest.login(String username, String password)</code>
+ when the realm is configured to use GSSAPI authentication. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml
index 860881fd7f..b5d5370cc2 100644
--- a/webapps/docs/config/realm.xml
+++ b/webapps/docs/config/realm.xml
@@ -278,9 +278,14 @@
</attribute>
<attribute name="authentication" required="false">
- <p>A string specifying the type of authentication to use.
- "none", "simple", "strong" or a provider specific definition
- can be used. If no value is given the providers default is used.</p>
+ <p>A string specifying the type of authentication to use. "none",
+ "simple", "strong" or a provider specific definition can be used. If
the
+ provider specific mechanism "GSSAPI" is specified and supported by the
+ provider, there are some circumstances, such as handling calls to
+ <code>HttpServletRequest.login(String username, String
password)</code>,
+ where "GSSAPI" will not be used and the user will be
+ authenticated as described in <code>userPassword</code>. If no value is
+ given, the providers default is used.</p>
</attribute>
<attribute name="cipherSuites" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
