(tomcat) 01/03: Add JreCompat support for Subject.callAs()
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit a2384804c527c64290cfae1fa988f1f394890e91
Author: Mark Thomas
AuthorDate: Wed Jul 24 17:51:24 2024 +0100
Add JreCompat support for Subject.callAs()
With the changes coming in Java 23 we need to move away from
Subject.doAs() but the replacement isn't available in Java 17. Hence use
JreCompat.
---
.../org/apache/tomcat/util/compat/Jre18Compat.java | 71 ++
.../org/apache/tomcat/util/compat/Jre19Compat.java | 2 +-
java/org/apache/tomcat/util/compat/JreCompat.java | 39
.../tomcat/util/compat/LocalStrings.properties | 1 +
4 files changed, 112 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/compat/Jre18Compat.java
b/java/org/apache/tomcat/util/compat/Jre18Compat.java
new file mode 100644
index 00..b83999f179
--- /dev/null
+++ b/java/org/apache/tomcat/util/compat/Jre18Compat.java
@@ -0,0 +1,71 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.compat;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.concurrent.Callable;
+import java.util.concurrent.CompletionException;
+
+import javax.security.auth.Subject;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+public class Jre18Compat extends JreCompat {
+
+private static final Log log = LogFactory.getLog(Jre18Compat.class);
+private static final StringManager sm =
StringManager.getManager(Jre18Compat.class);
+
+private static final Method callAsMethod;
+
+static {
+Method m1 = null;
+
+try {
+m1 = Subject.class.getMethod("classAS", Subject.class,
Callable.class);
+} catch (NoSuchMethodException e) {
+// Must before-Java 18
+log.debug(sm.getString("jre18Compat.javaPre18"), e);
+}
+
+callAsMethod = m1;
+}
+
+
+static boolean isSupported() {
+return callAsMethod != null;
+}
+
+
+@SuppressWarnings("unchecked")
+@Override
+public T callAs(Subject subject, Callable action) throws
CompletionException {
+try {
+return (T) callAsMethod.invoke(null, subject, action);
+} catch (IllegalAccessException e) {
+throw new CompletionException(e);
+} catch (InvocationTargetException e) {
+Throwable cause = e.getCause();
+if (cause instanceof CompletionException) {
+throw (CompletionException) cause;
+}
+throw new CompletionException(e);
+}
+}
+}
diff --git a/java/org/apache/tomcat/util/compat/Jre19Compat.java
b/java/org/apache/tomcat/util/compat/Jre19Compat.java
index 60ee0c2dc1..fd9b85c515 100644
--- a/java/org/apache/tomcat/util/compat/Jre19Compat.java
+++ b/java/org/apache/tomcat/util/compat/Jre19Compat.java
@@ -22,7 +22,7 @@ import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.res.StringManager;
-public class Jre19Compat extends JreCompat {
+public class Jre19Compat extends Jre18Compat {
private static final Log log = LogFactory.getLog(Jre19Compat.class);
private static final StringManager sm =
StringManager.getManager(Jre19Compat.class);
diff --git a/java/org/apache/tomcat/util/compat/JreCompat.java
b/java/org/apache/tomcat/util/compat/JreCompat.java
index 743f76e64f..9227c2deac 100644
--- a/java/org/apache/tomcat/util/compat/JreCompat.java
+++ b/java/org/apache/tomcat/util/compat/JreCompat.java
@@ -17,6 +17,11 @@
package org.apache.tomcat.util.compat;
import java.lang.reflect.Field;
+import java.security.PrivilegedExceptionAction;
+import java.util.concurrent.Callable;
+import java.util.concurrent.CompletionException;
+
+import javax.security.auth.Subject;
import org.apache.tomcat.util.res.StringManager;
@@ -29,6 +34,7 @@ public class JreCompat {
private static final JreCompat instance;
private static final boolean graalAvailable;
(tomcat) branch main updated (17339b4ddc -> 5047bc090c)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from 17339b4ddc Add discardRequestsAndResponses to HTTP/2 with a default of false new a2384804c5 Add JreCompat support for Subject.callAs() new 59aa7f2e8e Refactor SpnegoAuthenticator to use Subject.callAs() when available new 5047bc090c Remove unused code The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../authenticator/SpnegoAuthenticator.java | 67 +--- .../apache/coyote/http2/AbstractNonZeroStream.java | 14 + java/org/apache/coyote/http2/Stream.java | 12 .../org/apache/tomcat/util/compat/Jre18Compat.java | 71 ++ .../org/apache/tomcat/util/compat/Jre19Compat.java | 2 +- java/org/apache/tomcat/util/compat/JreCompat.java | 39 .../tomcat/util/compat/LocalStrings.properties | 1 + webapps/docs/changelog.xml | 5 ++ 8 files changed, 132 insertions(+), 79 deletions(-) create mode 100644 java/org/apache/tomcat/util/compat/Jre18Compat.java - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) 02/03: Refactor SpnegoAuthenticator to use Subject.callAs() when available
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 59aa7f2e8e30aa73bafcefc56000506efb2c0a70
Author: Mark Thomas
AuthorDate: Wed Jul 24 17:53:22 2024 +0100
Refactor SpnegoAuthenticator to use Subject.callAs() when available
---
.../authenticator/SpnegoAuthenticator.java | 67 +-
webapps/docs/changelog.xml | 5 ++
2 files changed, 19 insertions(+), 53 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
index 8bed63a40e..570ce65413 100644
--- a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
@@ -19,11 +19,9 @@ package org.apache.catalina.authenticator;
import java.io.File;
import java.io.IOException;
import java.security.Principal;
-import java.security.PrivilegedAction;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
import java.util.Base64;
import java.util.LinkedHashMap;
+import java.util.concurrent.CompletionException;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
@@ -33,12 +31,12 @@ import javax.security.auth.login.LoginException;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.catalina.LifecycleException;
-import org.apache.catalina.Realm;
import org.apache.catalina.connector.Request;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.buf.MessageBytes;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.compat.JreVendor;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
@@ -134,7 +132,6 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
}
-@SuppressWarnings("removal")
@Override
protected boolean doAuthenticate(Request request, HttpServletResponse
response) throws IOException {
@@ -211,11 +208,15 @@ public class SpnegoAuthenticator extends
AuthenticatorBase {
} else {
credentialLifetime = GSSCredential.DEFAULT_LIFETIME;
}
-final PrivilegedExceptionAction action = () ->
manager.createCredential(null,
-credentialLifetime, new Oid("1.3.6.1.5.5.2"),
GSSCredential.ACCEPT_ONLY);
-gssContext = manager.createContext(Subject.doAs(subject, action));
+gssContext =
manager.createContext(JreCompat.getInstance().callAs(subject, () -> {
+return manager.createCredential(null, credentialLifetime, new
Oid("1.3.6.1.5.5.2"),
+GSSCredential.ACCEPT_ONLY);
+}));
-outToken = Subject.doAs(lc.getSubject(), new
AcceptAction(gssContext, decoded));
+final GSSContext gssContextFinal = gssContext;
+outToken = JreCompat.getInstance().callAs(subject, () -> {
+return gssContextFinal.acceptSecContext(decoded, 0,
decoded.length);
+});
if (outToken == null) {
if (log.isDebugEnabled()) {
@@ -227,9 +228,9 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
return false;
}
-principal = Subject.doAs(subject,
-new AuthenticateAction(context.getRealm(), gssContext,
storeDelegatedCredential));
-
+principal = JreCompat.getInstance().callAs(subject, () -> {
+return context.getRealm().authenticate(gssContextFinal,
storeDelegatedCredential);
+});
} catch (GSSException e) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"), e);
@@ -237,7 +238,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
-} catch (PrivilegedActionException e) {
+} catch (CompletionException e) {
Throwable cause = e.getCause();
if (cause instanceof GSSException) {
if (log.isDebugEnabled()) {
@@ -295,46 +296,6 @@ public class SpnegoAuthenticator extends AuthenticatorBase
{
}
-/**
- * This class gets a gss credential via a privileged action.
- */
-public static class AcceptAction implements
PrivilegedExceptionAction {
-
-GSSContext gssContext;
-
-byte[] decoded;
-
-public AcceptAction(GSSContext context, byte[] decodedToken) {
-this.gssContext = context;
-this.decoded = decodedToken;
-}
-
-@Override
-public byte[] run() throws GS
(tomcat) 03/03: Remove unused code
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 5047bc090c8ed21ea140826d79c40c149f7a290d
Author: Mark Thomas
AuthorDate: Thu Jul 25 09:42:43 2024 +0100
Remove unused code
---
java/org/apache/coyote/http2/AbstractNonZeroStream.java | 14 +-
java/org/apache/coyote/http2/Stream.java| 12
2 files changed, 1 insertion(+), 25 deletions(-)
diff --git a/java/org/apache/coyote/http2/AbstractNonZeroStream.java
b/java/org/apache/coyote/http2/AbstractNonZeroStream.java
index 6dc7c19077..efaf73bfe3 100644
--- a/java/org/apache/coyote/http2/AbstractNonZeroStream.java
+++ b/java/org/apache/coyote/http2/AbstractNonZeroStream.java
@@ -61,19 +61,6 @@ abstract class AbstractNonZeroStream extends AbstractStream {
}
-/**
- * Obtain the ByteBuffer to store DATA frame payload data for this stream
that has been received from the client.
- *
- * @return {@code null} if the DATA frame payload can be swallowed, or a
ByteBuffer with at least enough space
- * remaining for the current flow control window for stream
data from the client.
- *
- * @deprecated Unused. Will be removed in Tomcat 11.
- */
-@Deprecated
-ByteBuffer getInputByteBuffer() {
-return getInputByteBuffer(true);
-}
-
/**
* Obtain the ByteBuffer to store DATA frame payload data for this stream
that has been received from the client.
*
@@ -82,6 +69,7 @@ abstract class AbstractNonZeroStream extends AbstractStream {
*/
abstract ByteBuffer getInputByteBuffer(boolean create);
+
/**
* Notify that some data has been received.
*
diff --git a/java/org/apache/coyote/http2/Stream.java
b/java/org/apache/coyote/http2/Stream.java
index 6d2a67b969..9fe058d57e 100644
--- a/java/org/apache/coyote/http2/Stream.java
+++ b/java/org/apache/coyote/http2/Stream.java
@@ -1100,18 +1100,6 @@ class Stream extends AbstractNonZeroStream implements
HeaderEmitter {
abstract void notifyEof();
-/**
- * Return, creating if necessary, the input buffer.
- *
- * @return The input buffer
- *
- * @deprecated Unused. Will be removed in Tomcat 11.
- */
-@Deprecated
-ByteBuffer getInBuffer() {
-return getInBuffer(true);
-}
-
abstract ByteBuffer getInBuffer(boolean create);
abstract void onDataAvailable() throws IOException;
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat-native) branch main updated: Add 2.0.8 release notice
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat-native.git The following commit(s) were added to refs/heads/main by this push: new 5f8d6d68f Add 2.0.8 release notice 5f8d6d68f is described below commit 5f8d6d68fee71344bee8f0df4e5650d586aeac73 Author: Mark Thomas AuthorDate: Wed Jul 24 18:13:30 2024 +0100 Add 2.0.8 release notice --- xdocs/index.xml | 4 ++-- xdocs/news/2024.xml | 5 + 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/xdocs/index.xml b/xdocs/index.xml index 9a359adab..48612f23c 100644 --- a/xdocs/index.xml +++ b/xdocs/index.xml @@ -42,10 +42,10 @@ -8 February 2024 - TC-Native-2.0.7 +24 July 2024 - TC-Native-2.0.8 released The Apache Tomcat team is proud to announce the immediate availability of -Tomcat Native 2.0.7 Stable. +Tomcat Native 2.0.8 Stable. The sources and the binaries for selected platforms are available from the Download page. diff --git a/xdocs/news/2024.xml b/xdocs/news/2024.xml index 9312811e8..0f05c2d90 100644 --- a/xdocs/news/2024.xml +++ b/xdocs/news/2024.xml @@ -30,6 +30,11 @@ + +The Apache Tomcat team is proud to announce the immediate +availability of Tomcat Native 2.0.8. + + The Apache Tomcat team is proud to announce the immediate availability of Tomcat Native 2.0.7. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[PR] Update RUNNING.txt [tomcat]
anujdevopslearn opened a new pull request, #743: URL: https://github.com/apache/tomcat/pull/743 (no comment) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Update RUNNING.txt [tomcat]
anujdevopslearn closed pull request #743: Update RUNNING.txt URL: https://github.com/apache/tomcat/pull/743 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: (tomcat) 01/03: Add JreCompat support for Subject.callAs()
On 2024/07/25 08:42:52 ma...@apache.org wrote:
> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch main
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
> commit a2384804c527c64290cfae1fa988f1f394890e91
> Author: Mark Thomas
> AuthorDate: Wed Jul 24 17:51:24 2024 +0100
>
> Add JreCompat support for Subject.callAs()
>
> With the changes coming in Java 23 we need to move away from
> Subject.doAs() but the replacement isn't available in Java 17. Hence use
> JreCompat.
> ---
> .../org/apache/tomcat/util/compat/Jre18Compat.java | 71
> ++
> .../org/apache/tomcat/util/compat/Jre19Compat.java | 2 +-
> java/org/apache/tomcat/util/compat/JreCompat.java | 39
> .../tomcat/util/compat/LocalStrings.properties | 1 +
> 4 files changed, 112 insertions(+), 1 deletion(-)
>
> diff --git a/java/org/apache/tomcat/util/compat/Jre18Compat.java
> b/java/org/apache/tomcat/util/compat/Jre18Compat.java
> new file mode 100644
> index 00..b83999f179
> --- /dev/null
> +++ b/java/org/apache/tomcat/util/compat/Jre18Compat.java
> @@ -0,0 +1,71 @@
> +/*
> + * Licensed to the Apache Software Foundation (ASF) under one or more
> + * contributor license agreements. See the NOTICE file distributed with
> + * this work for additional information regarding copyright ownership.
> + * The ASF licenses this file to You under the Apache License, Version 2.0
> + * (the "License"); you may not use this file except in compliance with
> + * the License. You may obtain a copy of the License at
> + *
> + * http://www.apache.org/licenses/LICENSE-2.0
> + *
> + * Unless required by applicable law or agreed to in writing, software
> + * distributed under the License is distributed on an "AS IS" BASIS,
> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> + * See the License for the specific language governing permissions and
> + * limitations under the License.
> + */
> +package org.apache.tomcat.util.compat;
> +
> +import java.lang.reflect.InvocationTargetException;
> +import java.lang.reflect.Method;
> +import java.util.concurrent.Callable;
> +import java.util.concurrent.CompletionException;
> +
> +import javax.security.auth.Subject;
> +
> +import org.apache.juli.logging.Log;
> +import org.apache.juli.logging.LogFactory;
> +import org.apache.tomcat.util.res.StringManager;
> +
> +public class Jre18Compat extends JreCompat {
> +
> +private static final Log log = LogFactory.getLog(Jre18Compat.class);
> +private static final StringManager sm =
> StringManager.getManager(Jre18Compat.class);
> +
> +private static final Method callAsMethod;
> +
> +static {
> +Method m1 = null;
> +
> +try {
> +m1 = Subject.class.getMethod("classAS", Subject.class,
> Callable.class);
Am I stupid or isn't the method called "callAs"?
https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/security/auth/Subject.html#callAs(javax.security.auth.Subject,java.util.concurrent.Callable)
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Fix typo
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new c0754581e4 Fix typo
c0754581e4 is described below
commit c0754581e4a2d50a7ec4beafc1e2c4125020eb09
Author: Mark Thomas
AuthorDate: Thu Jul 25 12:46:32 2024 +0100
Fix typo
---
java/org/apache/tomcat/util/compat/Jre18Compat.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/compat/Jre18Compat.java
b/java/org/apache/tomcat/util/compat/Jre18Compat.java
index b83999f179..e4c7d58256 100644
--- a/java/org/apache/tomcat/util/compat/Jre18Compat.java
+++ b/java/org/apache/tomcat/util/compat/Jre18Compat.java
@@ -38,7 +38,7 @@ public class Jre18Compat extends JreCompat {
Method m1 = null;
try {
-m1 = Subject.class.getMethod("classAS", Subject.class,
Callable.class);
+m1 = Subject.class.getMethod("callAs", Subject.class,
Callable.class);
} catch (NoSuchMethodException e) {
// Must before-Java 18
log.debug(sm.getString("jre18Compat.javaPre18"), e);
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: (tomcat) 01/03: Add JreCompat support for Subject.callAs()
On Thu, Jul 25, 2024 at 10:44 AM wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch main
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
> commit a2384804c527c64290cfae1fa988f1f394890e91
> Author: Mark Thomas
> AuthorDate: Wed Jul 24 17:51:24 2024 +0100
>
> Add JreCompat support for Subject.callAs()
>
> With the changes coming in Java 23 we need to move away from
> Subject.doAs() but the replacement isn't available in Java 17. Hence use
> JreCompat.
> ---
> .../org/apache/tomcat/util/compat/Jre18Compat.java | 71
> ++
This could be needlessly fancy to add this now. Maybe JreCompat could
be rounded up to the next LTS once they are released. Nobody is going
to use 18 or 19 anymore (21 will be used instead).
Rémy
> .../org/apache/tomcat/util/compat/Jre19Compat.java | 2 +-
> java/org/apache/tomcat/util/compat/JreCompat.java | 39
> .../tomcat/util/compat/LocalStrings.properties | 1 +
> 4 files changed, 112 insertions(+), 1 deletion(-)
>
> diff --git a/java/org/apache/tomcat/util/compat/Jre18Compat.java
> b/java/org/apache/tomcat/util/compat/Jre18Compat.java
> new file mode 100644
> index 00..b83999f179
> --- /dev/null
> +++ b/java/org/apache/tomcat/util/compat/Jre18Compat.java
> @@ -0,0 +1,71 @@
> +/*
> + * Licensed to the Apache Software Foundation (ASF) under one or more
> + * contributor license agreements. See the NOTICE file distributed with
> + * this work for additional information regarding copyright ownership.
> + * The ASF licenses this file to You under the Apache License, Version 2.0
> + * (the "License"); you may not use this file except in compliance with
> + * the License. You may obtain a copy of the License at
> + *
> + * http://www.apache.org/licenses/LICENSE-2.0
> + *
> + * Unless required by applicable law or agreed to in writing, software
> + * distributed under the License is distributed on an "AS IS" BASIS,
> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> + * See the License for the specific language governing permissions and
> + * limitations under the License.
> + */
> +package org.apache.tomcat.util.compat;
> +
> +import java.lang.reflect.InvocationTargetException;
> +import java.lang.reflect.Method;
> +import java.util.concurrent.Callable;
> +import java.util.concurrent.CompletionException;
> +
> +import javax.security.auth.Subject;
> +
> +import org.apache.juli.logging.Log;
> +import org.apache.juli.logging.LogFactory;
> +import org.apache.tomcat.util.res.StringManager;
> +
> +public class Jre18Compat extends JreCompat {
> +
> +private static final Log log = LogFactory.getLog(Jre18Compat.class);
> +private static final StringManager sm =
> StringManager.getManager(Jre18Compat.class);
> +
> +private static final Method callAsMethod;
> +
> +static {
> +Method m1 = null;
> +
> +try {
> +m1 = Subject.class.getMethod("classAS", Subject.class,
> Callable.class);
> +} catch (NoSuchMethodException e) {
> +// Must before-Java 18
> +log.debug(sm.getString("jre18Compat.javaPre18"), e);
> +}
> +
> +callAsMethod = m1;
> +}
> +
> +
> +static boolean isSupported() {
> +return callAsMethod != null;
> +}
> +
> +
> +@SuppressWarnings("unchecked")
> +@Override
> +public T callAs(Subject subject, Callable action) throws
> CompletionException {
> +try {
> +return (T) callAsMethod.invoke(null, subject, action);
> +} catch (IllegalAccessException e) {
> +throw new CompletionException(e);
> +} catch (InvocationTargetException e) {
> +Throwable cause = e.getCause();
> +if (cause instanceof CompletionException) {
> +throw (CompletionException) cause;
> +}
> +throw new CompletionException(e);
> +}
> +}
> +}
> diff --git a/java/org/apache/tomcat/util/compat/Jre19Compat.java
> b/java/org/apache/tomcat/util/compat/Jre19Compat.java
> index 60ee0c2dc1..fd9b85c515 100644
> --- a/java/org/apache/tomcat/util/compat/Jre19Compat.java
> +++ b/java/org/apache/tomcat/util/compat/Jre19Compat.java
> @@ -22,7 +22,7 @@ import org.apache.juli.logging.Log;
> import org.apache.juli.logging.LogFactory;
> import org.apache.tomcat.util.res.StringManager;
>
> -public class Jre19Compat extends JreCompat {
> +public class Jre19Compat extends Jre18Compat {
>
> private static final Log log = LogFactory.getLog(Jre19Compat.class);
> private static final StringManager sm =
> StringManager.getManager(Jre19Compat.class);
> diff --git a/java/org/apache/tomcat/util/compat/JreCompat.java
> b/java/org/apache/tomcat/util/compat/JreCompat.java
> index 743f76e64f..9227c2deac 100644
> --- a/java/org/apache/tomcat/util/compat/JreCompat.java
> +++ b/java/org/apache/tomcat/util/compat/JreC
Re: (tomcat) 01/03: Add JreCompat support for Subject.callAs()
On 25/07/2024 13:42, Rémy Maucherat wrote: On Thu, Jul 25, 2024 at 10:44 AM wrote: This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git commit a2384804c527c64290cfae1fa988f1f394890e91 Author: Mark Thomas AuthorDate: Wed Jul 24 17:51:24 2024 +0100 Add JreCompat support for Subject.callAs() With the changes coming in Java 23 we need to move away from Subject.doAs() but the replacement isn't available in Java 17. Hence use JreCompat. --- .../org/apache/tomcat/util/compat/Jre18Compat.java | 71 ++ This could be needlessly fancy to add this now. Maybe JreCompat could be rounded up to the next LTS once they are released. Nobody is going to use 18 or 19 anymore (21 will be used instead). That is certainly worth looking at. I'll take a look at the refactoring once I've confirmed SPNEGO is still working. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: (tomcat) 01/03: Add JreCompat support for Subject.callAs()
On 25/07/2024 11:31, Michael Osipov wrote:
On 2024/07/25 08:42:52 ma...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit a2384804c527c64290cfae1fa988f1f394890e91
Author: Mark Thomas
AuthorDate: Wed Jul 24 17:51:24 2024 +0100
Add JreCompat support for Subject.callAs()
With the changes coming in Java 23 we need to move away from
Subject.doAs() but the replacement isn't available in Java 17. Hence use
JreCompat.
---
.../org/apache/tomcat/util/compat/Jre18Compat.java | 71 ++
.../org/apache/tomcat/util/compat/Jre19Compat.java | 2 +-
java/org/apache/tomcat/util/compat/JreCompat.java | 39
.../tomcat/util/compat/LocalStrings.properties | 1 +
4 files changed, 112 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/compat/Jre18Compat.java
b/java/org/apache/tomcat/util/compat/Jre18Compat.java
new file mode 100644
index 00..b83999f179
--- /dev/null
+++ b/java/org/apache/tomcat/util/compat/Jre18Compat.java
@@ -0,0 +1,71 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.compat;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.concurrent.Callable;
+import java.util.concurrent.CompletionException;
+
+import javax.security.auth.Subject;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+public class Jre18Compat extends JreCompat {
+
+private static final Log log = LogFactory.getLog(Jre18Compat.class);
+private static final StringManager sm =
StringManager.getManager(Jre18Compat.class);
+
+private static final Method callAsMethod;
+
+static {
+Method m1 = null;
+
+try {
+m1 = Subject.class.getMethod("classAS", Subject.class,
Callable.class);
Am I stupid or isn't the method called "callAs"?
https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/security/auth/Subject.html#callAs(javax.security.auth.Subject,java.util.concurrent.Callable)
My typo. Not sure how I managed to get from "callAs" to that. I'm in the
middle of updating my test environment so I could check that commit.
I'll fix that now. I don't plan to back-port until I confirm everything
is working as expected.
Mark
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated (fa8c99b70d -> 86d3fcf914)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from fa8c99b70d Add discardRequestsAndResponses to HTTP/2 with a default of false new 0bb26ef6ca Add JreCompat support for Subject.callAs() new 86d3fcf914 Refactor SpnegoAuthenticator to use Subject.callAs() when available The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../authenticator/SpnegoAuthenticator.java | 66 +--- .../org/apache/tomcat/util/compat/Jre18Compat.java | 71 ++ .../org/apache/tomcat/util/compat/Jre19Compat.java | 2 +- java/org/apache/tomcat/util/compat/JreCompat.java | 40 .../tomcat/util/compat/LocalStrings.properties | 2 + webapps/docs/changelog.xml | 5 ++ 6 files changed, 133 insertions(+), 53 deletions(-) create mode 100644 java/org/apache/tomcat/util/compat/Jre18Compat.java - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) 02/02: Refactor SpnegoAuthenticator to use Subject.callAs() when available
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 86d3fcf914fd754ede19ed3557dc5a4511dc1124
Author: Mark Thomas
AuthorDate: Wed Jul 24 17:53:22 2024 +0100
Refactor SpnegoAuthenticator to use Subject.callAs() when available
---
.../authenticator/SpnegoAuthenticator.java | 66 +-
.../org/apache/tomcat/util/compat/Jre18Compat.java | 2 +-
webapps/docs/changelog.xml | 5 ++
3 files changed, 20 insertions(+), 53 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
index c314f5d893..570ce65413 100644
--- a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
@@ -19,11 +19,9 @@ package org.apache.catalina.authenticator;
import java.io.File;
import java.io.IOException;
import java.security.Principal;
-import java.security.PrivilegedAction;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
import java.util.Base64;
import java.util.LinkedHashMap;
+import java.util.concurrent.CompletionException;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
@@ -33,12 +31,12 @@ import javax.security.auth.login.LoginException;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.catalina.LifecycleException;
-import org.apache.catalina.Realm;
import org.apache.catalina.connector.Request;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.buf.MessageBytes;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.compat.JreVendor;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
@@ -210,11 +208,15 @@ public class SpnegoAuthenticator extends
AuthenticatorBase {
} else {
credentialLifetime = GSSCredential.DEFAULT_LIFETIME;
}
-final PrivilegedExceptionAction action = () ->
manager.createCredential(null,
-credentialLifetime, new Oid("1.3.6.1.5.5.2"),
GSSCredential.ACCEPT_ONLY);
-gssContext = manager.createContext(Subject.doAs(subject, action));
+gssContext =
manager.createContext(JreCompat.getInstance().callAs(subject, () -> {
+return manager.createCredential(null, credentialLifetime, new
Oid("1.3.6.1.5.5.2"),
+GSSCredential.ACCEPT_ONLY);
+}));
-outToken = Subject.doAs(lc.getSubject(), new
AcceptAction(gssContext, decoded));
+final GSSContext gssContextFinal = gssContext;
+outToken = JreCompat.getInstance().callAs(subject, () -> {
+return gssContextFinal.acceptSecContext(decoded, 0,
decoded.length);
+});
if (outToken == null) {
if (log.isDebugEnabled()) {
@@ -226,9 +228,9 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
return false;
}
-principal = Subject.doAs(subject,
-new AuthenticateAction(context.getRealm(), gssContext,
storeDelegatedCredential));
-
+principal = JreCompat.getInstance().callAs(subject, () -> {
+return context.getRealm().authenticate(gssContextFinal,
storeDelegatedCredential);
+});
} catch (GSSException e) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"), e);
@@ -236,7 +238,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
-} catch (PrivilegedActionException e) {
+} catch (CompletionException e) {
Throwable cause = e.getCause();
if (cause instanceof GSSException) {
if (log.isDebugEnabled()) {
@@ -294,46 +296,6 @@ public class SpnegoAuthenticator extends AuthenticatorBase
{
}
-/**
- * This class gets a gss credential via a privileged action.
- */
-public static class AcceptAction implements
PrivilegedExceptionAction {
-
-GSSContext gssContext;
-
-byte[] decoded;
-
-public AcceptAction(GSSContext context, byte[] decodedToken) {
-this.gssContext = context;
-this.decoded = decodedToken;
-}
-
-@Override
-public byte[] run() throws GSSException {
-return gssContext.acceptSecContext(decoded, 0, decoded.length);
-}
-}
-
-
-public static class AuthenticateAction implements
PrivilegedAction {
-
(tomcat) 01/02: Add JreCompat support for Subject.callAs()
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 0bb26ef6ca7a50a127840bbff5fdeec88b63faef
Author: Mark Thomas
AuthorDate: Wed Jul 24 17:51:24 2024 +0100
Add JreCompat support for Subject.callAs()
With the changes coming in Java 23 we need to move away from
Subject.doAs() but the replacement isn't available in Java 17. Hence use
JreCompat.
---
.../org/apache/tomcat/util/compat/Jre18Compat.java | 71 ++
.../org/apache/tomcat/util/compat/Jre19Compat.java | 2 +-
java/org/apache/tomcat/util/compat/JreCompat.java | 40
.../tomcat/util/compat/LocalStrings.properties | 2 +
4 files changed, 114 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/compat/Jre18Compat.java
b/java/org/apache/tomcat/util/compat/Jre18Compat.java
new file mode 100644
index 00..50c744b1d5
--- /dev/null
+++ b/java/org/apache/tomcat/util/compat/Jre18Compat.java
@@ -0,0 +1,71 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.compat;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.concurrent.Callable;
+import java.util.concurrent.CompletionException;
+
+import javax.security.auth.Subject;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+public class Jre18Compat extends Jre16Compat {
+
+private static final Log log = LogFactory.getLog(Jre18Compat.class);
+private static final StringManager sm =
StringManager.getManager(Jre18Compat.class);
+
+private static final Method callAsMethod;
+
+static {
+Method m1 = null;
+
+try {
+m1 = Subject.class.getMethod("classAS", Subject.class,
Callable.class);
+} catch (NoSuchMethodException e) {
+// Must before-Java 18
+log.debug(sm.getString("jre18Compat.javaPre18"), e);
+}
+
+callAsMethod = m1;
+}
+
+
+static boolean isSupported() {
+return callAsMethod != null;
+}
+
+
+@SuppressWarnings("unchecked")
+@Override
+public T callAs(Subject subject, Callable action) throws
CompletionException {
+try {
+return (T) callAsMethod.invoke(null, subject, action);
+} catch (IllegalAccessException e) {
+throw new CompletionException(e);
+} catch (InvocationTargetException e) {
+Throwable cause = e.getCause();
+if (cause instanceof CompletionException) {
+throw (CompletionException) cause;
+}
+throw new CompletionException(e);
+}
+}
+}
diff --git a/java/org/apache/tomcat/util/compat/Jre19Compat.java
b/java/org/apache/tomcat/util/compat/Jre19Compat.java
index 45ce68b666..fd9b85c515 100644
--- a/java/org/apache/tomcat/util/compat/Jre19Compat.java
+++ b/java/org/apache/tomcat/util/compat/Jre19Compat.java
@@ -22,7 +22,7 @@ import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.res.StringManager;
-public class Jre19Compat extends Jre16Compat {
+public class Jre19Compat extends Jre18Compat {
private static final Log log = LogFactory.getLog(Jre19Compat.class);
private static final StringManager sm =
StringManager.getManager(Jre19Compat.class);
diff --git a/java/org/apache/tomcat/util/compat/JreCompat.java
b/java/org/apache/tomcat/util/compat/JreCompat.java
index 86f540bfec..1f8b311b77 100644
--- a/java/org/apache/tomcat/util/compat/JreCompat.java
+++ b/java/org/apache/tomcat/util/compat/JreCompat.java
@@ -20,6 +20,11 @@ import java.lang.reflect.Field;
import java.net.SocketAddress;
import java.nio.channels.ServerSocketChannel;
import java.nio.channels.SocketChannel;
+import java.security.PrivilegedExceptionAction;
+import java.util.concurrent.Callable;
+import java.util.concurrent.CompletionException;
+
+import javax.security.auth.Subject;
import org.apache.tomcat.util.res.StringManager;
@@ -33,6 +38,7 @@ public class JreCompat {
private s
(tomcat) 01/02: Add JreCompat support for Subject.callAs()
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 93cd15715aa6df13460a01a4547aec625b01c5a3
Author: Mark Thomas
AuthorDate: Wed Jul 24 17:51:24 2024 +0100
Add JreCompat support for Subject.callAs()
With the changes coming in Java 23 we need to move away from
Subject.doAs() but the replacement isn't available in Java 17. Hence use
JreCompat.
---
.../org/apache/tomcat/util/compat/Jre18Compat.java | 71 ++
.../org/apache/tomcat/util/compat/Jre19Compat.java | 2 +-
java/org/apache/tomcat/util/compat/JreCompat.java | 41 +
.../tomcat/util/compat/LocalStrings.properties | 2 +
4 files changed, 115 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/compat/Jre18Compat.java
b/java/org/apache/tomcat/util/compat/Jre18Compat.java
new file mode 100644
index 00..50c744b1d5
--- /dev/null
+++ b/java/org/apache/tomcat/util/compat/Jre18Compat.java
@@ -0,0 +1,71 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.compat;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.concurrent.Callable;
+import java.util.concurrent.CompletionException;
+
+import javax.security.auth.Subject;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+public class Jre18Compat extends Jre16Compat {
+
+private static final Log log = LogFactory.getLog(Jre18Compat.class);
+private static final StringManager sm =
StringManager.getManager(Jre18Compat.class);
+
+private static final Method callAsMethod;
+
+static {
+Method m1 = null;
+
+try {
+m1 = Subject.class.getMethod("classAS", Subject.class,
Callable.class);
+} catch (NoSuchMethodException e) {
+// Must before-Java 18
+log.debug(sm.getString("jre18Compat.javaPre18"), e);
+}
+
+callAsMethod = m1;
+}
+
+
+static boolean isSupported() {
+return callAsMethod != null;
+}
+
+
+@SuppressWarnings("unchecked")
+@Override
+public T callAs(Subject subject, Callable action) throws
CompletionException {
+try {
+return (T) callAsMethod.invoke(null, subject, action);
+} catch (IllegalAccessException e) {
+throw new CompletionException(e);
+} catch (InvocationTargetException e) {
+Throwable cause = e.getCause();
+if (cause instanceof CompletionException) {
+throw (CompletionException) cause;
+}
+throw new CompletionException(e);
+}
+}
+}
diff --git a/java/org/apache/tomcat/util/compat/Jre19Compat.java
b/java/org/apache/tomcat/util/compat/Jre19Compat.java
index 45ce68b666..fd9b85c515 100644
--- a/java/org/apache/tomcat/util/compat/Jre19Compat.java
+++ b/java/org/apache/tomcat/util/compat/Jre19Compat.java
@@ -22,7 +22,7 @@ import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.res.StringManager;
-public class Jre19Compat extends Jre16Compat {
+public class Jre19Compat extends Jre18Compat {
private static final Log log = LogFactory.getLog(Jre19Compat.class);
private static final StringManager sm =
StringManager.getManager(Jre19Compat.class);
diff --git a/java/org/apache/tomcat/util/compat/JreCompat.java
b/java/org/apache/tomcat/util/compat/JreCompat.java
index 0c1840c90b..c1bf67a815 100644
--- a/java/org/apache/tomcat/util/compat/JreCompat.java
+++ b/java/org/apache/tomcat/util/compat/JreCompat.java
@@ -27,11 +27,15 @@ import java.net.URL;
import java.net.URLConnection;
import java.nio.channels.ServerSocketChannel;
import java.nio.channels.SocketChannel;
+import java.security.PrivilegedExceptionAction;
import java.util.Deque;
+import java.util.concurrent.Callable;
+import java.util.concurrent.CompletionException;
import java.util.jar.JarFile;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
+import javax.security.auth.Subj
(tomcat) branch 9.0.x updated (3c5b14b713 -> 6e1aa9acdd)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git from 3c5b14b713 Add discardRequestsAndResponses to HTTP/2 with a default of false new 93cd15715a Add JreCompat support for Subject.callAs() new 6e1aa9acdd Refactor SpnegoAuthenticator to use Subject.callAs() when available The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../authenticator/SpnegoAuthenticator.java | 66 +--- .../org/apache/tomcat/util/compat/Jre18Compat.java | 71 ++ .../org/apache/tomcat/util/compat/Jre19Compat.java | 2 +- java/org/apache/tomcat/util/compat/JreCompat.java | 41 + .../tomcat/util/compat/LocalStrings.properties | 2 + webapps/docs/changelog.xml | 5 ++ 6 files changed, 134 insertions(+), 53 deletions(-) create mode 100644 java/org/apache/tomcat/util/compat/Jre18Compat.java - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) 02/02: Refactor SpnegoAuthenticator to use Subject.callAs() when available
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 6e1aa9acdd90cff340e3003b70d66f9a165db38c
Author: Mark Thomas
AuthorDate: Wed Jul 24 17:53:22 2024 +0100
Refactor SpnegoAuthenticator to use Subject.callAs() when available
---
.../authenticator/SpnegoAuthenticator.java | 66 +-
.../org/apache/tomcat/util/compat/Jre18Compat.java | 2 +-
webapps/docs/changelog.xml | 5 ++
3 files changed, 20 insertions(+), 53 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
index 56ba47a864..e805c6d0df 100644
--- a/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SpnegoAuthenticator.java
@@ -19,11 +19,9 @@ package org.apache.catalina.authenticator;
import java.io.File;
import java.io.IOException;
import java.security.Principal;
-import java.security.PrivilegedAction;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
import java.util.Base64;
import java.util.LinkedHashMap;
+import java.util.concurrent.CompletionException;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
@@ -32,12 +30,12 @@ import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.LifecycleException;
-import org.apache.catalina.Realm;
import org.apache.catalina.connector.Request;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.buf.MessageBytes;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.compat.JreVendor;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
@@ -209,11 +207,15 @@ public class SpnegoAuthenticator extends
AuthenticatorBase {
} else {
credentialLifetime = GSSCredential.DEFAULT_LIFETIME;
}
-final PrivilegedExceptionAction action = () ->
manager.createCredential(null,
-credentialLifetime, new Oid("1.3.6.1.5.5.2"),
GSSCredential.ACCEPT_ONLY);
-gssContext = manager.createContext(Subject.doAs(subject, action));
+gssContext =
manager.createContext(JreCompat.getInstance().callAs(subject, () -> {
+return manager.createCredential(null, credentialLifetime, new
Oid("1.3.6.1.5.5.2"),
+GSSCredential.ACCEPT_ONLY);
+}));
-outToken = Subject.doAs(lc.getSubject(), new
AcceptAction(gssContext, decoded));
+final GSSContext gssContextFinal = gssContext;
+outToken = JreCompat.getInstance().callAs(subject, () -> {
+return gssContextFinal.acceptSecContext(decoded, 0,
decoded.length);
+});
if (outToken == null) {
if (log.isDebugEnabled()) {
@@ -225,9 +227,9 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
return false;
}
-principal = Subject.doAs(subject,
-new AuthenticateAction(context.getRealm(), gssContext,
storeDelegatedCredential));
-
+principal = JreCompat.getInstance().callAs(subject, () -> {
+return context.getRealm().authenticate(gssContextFinal,
storeDelegatedCredential);
+});
} catch (GSSException e) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"), e);
@@ -235,7 +237,7 @@ public class SpnegoAuthenticator extends AuthenticatorBase {
response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
-} catch (PrivilegedActionException e) {
+} catch (CompletionException e) {
Throwable cause = e.getCause();
if (cause instanceof GSSException) {
if (log.isDebugEnabled()) {
@@ -293,46 +295,6 @@ public class SpnegoAuthenticator extends AuthenticatorBase
{
}
-/**
- * This class gets a gss credential via a privileged action.
- */
-public static class AcceptAction implements
PrivilegedExceptionAction {
-
-GSSContext gssContext;
-
-byte[] decoded;
-
-public AcceptAction(GSSContext context, byte[] decodedToken) {
-this.gssContext = context;
-this.decoded = decodedToken;
-}
-
-@Override
-public byte[] run() throws GSSException {
-return gssContext.acceptSecContext(decoded, 0, decoded.length);
-}
-}
-
-
-public static class AuthenticateAction implements
PrivilegedAction {
-
-
Simplifying JreCompat
As per Rémy's suggestion, I've been looking simplifying JreCompat to only support LTS versions and anything more recent than the newest LTS. That would mean: - Tomcat 9 only - Jre9Compat is renamed to Jre11Compat - Tomcat 9 and 10 - Jre16Compat is renamed to Jre17Compat - All versions - Jre18Compat and Jre19Compat are merged into the existing Jre21Compat Jre22Compat would be unchanged. So the only real change is merging Jre18Compat, Jre19Compat and Jre21Compat into a single, larger Jre21Compat. I'm on the fence as to whether this is worth doing. Thoughts? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot success in on tomcat-9.0.x
Build status: Build succeeded! Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/37/builds/1021 Blamelist: Mark Thomas , Michael Clarke Build Text: build successful Status Detected: restored build Build Source Stamp: [branch 9.0.x] 6e1aa9acdd90cff340e3003b70d66f9a165db38c Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 1 shell_6: 0 shell_7: 0 shell_8: 0 shell_9: 0 Rsync docs to nightlies.apache.org: 0 shell_10: 0 Rsync RAT to nightlies.apache.org: 0 compile_1: 1 shell_11: 0 Rsync Logs to nightlies.apache.org: 0 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Simplifying JreCompat
On Thu, Jul 25, 2024 at 10:34 PM Mark Thomas wrote: > > As per Rémy's suggestion, I've been looking simplifying JreCompat to > only support LTS versions and anything more recent than the newest LTS. > > That would mean: > - Tomcat 9 only >- Jre9Compat is renamed to Jre11Compat > - Tomcat 9 and 10 >- Jre16Compat is renamed to Jre17Compat > - All versions >- Jre18Compat and Jre19Compat are merged into the existing Jre21Compat > > Jre22Compat would be unchanged. > > So the only real change is merging Jre18Compat, Jre19Compat and > Jre21Compat into a single, larger Jre21Compat. > > I'm on the fence as to whether this is worth doing. Thoughts? Changing the existing does not seem that worthwhile. I sent the idea because adding a Java 18 class now seemed weird. Remy > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Simplifying JreCompat
On 25/07/2024 22:49, Rémy Maucherat wrote: On Thu, Jul 25, 2024 at 10:34 PM Mark Thomas wrote: As per Rémy's suggestion, I've been looking simplifying JreCompat to only support LTS versions and anything more recent than the newest LTS. That would mean: - Tomcat 9 only - Jre9Compat is renamed to Jre11Compat - Tomcat 9 and 10 - Jre16Compat is renamed to Jre17Compat - All versions - Jre18Compat and Jre19Compat are merged into the existing Jre21Compat Jre22Compat would be unchanged. So the only real change is merging Jre18Compat, Jre19Compat and Jre21Compat into a single, larger Jre21Compat. I'm on the fence as to whether this is worth doing. Thoughts? Changing the existing does not seem that worthwhile. I sent the idea because adding a Java 18 class now seemed weird. Understood. I did it that way mostly for consistency with the existing code. The existing JreCompat implementations support a feature so it makes (more) sense to enable the feature in as many JRE versions as possible. This feature is a little different since there is a range of JRE versions that support both versions of the method. On that basis, I'm not against refactoring it to Jre21Compat and dropping Jre18Compat. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Simplifying JreCompat
I am not sure whether this question is relevant What is this JreCompat On Fri, 26 Jul 2024, 02:04 Mark Thomas, wrote: > As per Rémy's suggestion, I've been looking simplifying JreCompat to > only support LTS versions and anything more recent than the newest LTS. > > That would mean: > - Tomcat 9 only >- Jre9Compat is renamed to Jre11Compat > - Tomcat 9 and 10 >- Jre16Compat is renamed to Jre17Compat > - All versions >- Jre18Compat and Jre19Compat are merged into the existing Jre21Compat > > Jre22Compat would be unchanged. > > So the only real change is merging Jre18Compat, Jre19Compat and > Jre21Compat into a single, larger Jre21Compat. > > I'm on the fence as to whether this is worth doing. Thoughts? > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
[Bug 69222] New: jakarta.el.ExpressionFactory service descriptor missing
https://bz.apache.org/bugzilla/show_bug.cgi?id=69222 Bug ID: 69222 Summary: jakarta.el.ExpressionFactory service descriptor missing Product: Tomcat 10 Version: 10.1.26 Hardware: All OS: All Status: NEW Severity: normal Priority: P2 Component: EL Assignee: dev@tomcat.apache.org Reporter: j.p.cranend...@gmail.com Target Milestone: -- Created attachment 39821 --> https://bz.apache.org/bugzilla/attachment.cgi?id=39821&action=edit Screenshot of comparison 10.1.25 jar vs 10.1.26 jar >From 10.1.25 to 10.1.26 the service description for ExpressionFactory has gone missing from the tomcat-embed-el jar, see screenshot for a comparison between the old and new jar. This among others causes issues with Spring (Boot) Validation, which fails to load a EL implementation if no other is available. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
