[Bug 55354] New: JNDIRealm.getPrincipal(context,username,gssCredential) corrupts realm context

Sun, 04 Aug 2013 19:54:10 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=55354

            Bug ID: 55354
           Summary: JNDIRealm.getPrincipal(context,username,gssCredential)
                    corrupts realm context
           Product: Tomcat 7
           Version: 7.0.42
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: richard.b...@identity-solutions.com.au

The getPrincipal(context,username,gssCredential) method in JNDIRealm is
designed to allow delegated credentials to be applied to the directory server
connection as part of SPNEGO authentication.

This is done by manipulation of a number of the directory context's environment
parameters.

However, as currently implemented, these environment parameters are forcibly
cleared after the getUser() call regardless of whether the values were even
changed (i.e. if isUseDelegatedCredential() returned false).

If the container realm is defined to use GSSAPI authentication, only the first
SPNEGO authentication request will succeed.  All subsequent requests will fail
with this exception:
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
DSID-0C0906DC, comment: In order to perform this operation a successful bind
must be completed on the connection., data 0, v1db0 

The exception is due to the Context.SECURITY_AUTHENTICATION being cleared by
getPrincipal() - resulting in a attempted "simple" bind with no
username/password (i.e. anonymous).

A workaround is to ensure that the connectionName and connectionPassword
parameters are specified in the realm definition - however, if one is using
GSSAPI - this shouldn't be necessary and certainly defeats the purpose of using
GSSAPI in the first place.

The code should preserve pre-existing environment parameters in the context
before changing them, then restore those values afterwards - rather than just
clearing the settings completely.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to