[Bug 69575] org.apache.coyote.CompressionConfig doesn't recognize "zstd" compression
https://bz.apache.org/bugzilla/show_bug.cgi?id=69575 Remy Maucherat changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #1 from Remy Maucherat --- This will be fixed in 11.0.5, 10.1.37 and 9.0.101. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Fix copy/paste error in Javadoc
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new e8ae34b9fa Fix copy/paste error in Javadoc
e8ae34b9fa is described below
commit e8ae34b9fa49e31b04a5ae8720851273059ff753
Author: Mark Thomas
AuthorDate: Wed Feb 19 10:46:56 2025 +
Fix copy/paste error in Javadoc
---
java/org/apache/catalina/realm/JNDIRealm.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index c5870dcc97..c825511eec 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -2385,7 +2385,7 @@ public class JNDIRealm extends RealmBase {
/**
- * Get the principal associated with the specified certificate.
+ * Get the principal associated with the specified user name.
*
* @param connectionThe directory context
* @param username The user name
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Fix copy/paste error in Javadoc
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 210a0d552e Fix copy/paste error in Javadoc
210a0d552e is described below
commit 210a0d552e63f4a26fe02cde41b9c322bb3a712b
Author: Mark Thomas
AuthorDate: Wed Feb 19 10:46:56 2025 +
Fix copy/paste error in Javadoc
---
java/org/apache/catalina/realm/JNDIRealm.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index 7ef034b769..ed88ba1c48 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -2384,7 +2384,7 @@ public class JNDIRealm extends RealmBase {
/**
- * Get the principal associated with the specified certificate.
+ * Get the principal associated with the specified user name.
*
* @param connectionThe directory context
* @param username The user name
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Fix copy/paste error in Javadoc
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new d40c587727 Fix copy/paste error in Javadoc
d40c587727 is described below
commit d40c5877277402cf9ccbe7069453417ed5583cf0
Author: Mark Thomas
AuthorDate: Wed Feb 19 10:46:56 2025 +
Fix copy/paste error in Javadoc
---
java/org/apache/catalina/realm/JNDIRealm.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index 20145b6eda..ac61f7730d 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -2381,7 +2381,7 @@ public class JNDIRealm extends RealmBase {
/**
- * Get the principal associated with the specified certificate.
+ * Get the principal associated with the specified user name.
*
* @param connectionThe directory context
* @param username The user name
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 69575] org.apache.coyote.CompressionConfig doesn't recognize "zstd" compression
https://bz.apache.org/bugzilla/show_bug.cgi?id=69575 --- Comment #2 from Todor Bonchev --- The fix: https://github.com/apache/tomcat/commit/01139482700c1a850bec9d5efea93a778615b211 will cover zstd, compress and deflate, but to make it future proof you should check on line 291 whether an encoding is already applied and append gzip with ", gzip" if the value of content-encoding is not empty: https://github.com/apache/tomcat/blob/main/java/org/apache/coyote/CompressionConfig.java#L291 Thanks, -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated (0113948270 -> 3f7bb7fa19)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from 0113948270 69575: Avoid using compression if a response is already compressed add 3f7bb7fa19 Fix copy/paste error in Javadoc No new revisions were added by this update. Summary of changes: java/org/apache/catalina/realm/JNDIRealm.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 69530] Major different between 10.1.31 and 10.1.34 (class file doLock Method)
https://bz.apache.org/bugzilla/show_bug.cgi?id=69530 --- Comment #7 from Remy Maucherat --- Without additional information, this issue will be resolved as invalid. Testing 10.1.36 could be worthwhile as the request body processing code was refined. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] SpnegoAuthenticator allows wrong calls to login/logout methods [tomcat]
michael-o commented on PR #819: URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668513322 > I think the current support for `logout()` can stay. I don't see a reason to change it. > > I think the issue with `login()` is slightly different. The `JNDIRealm` attempts to switch between SPNEGO/kerberos and username/password based on which `Realm.authenticate(...)` call is made. Generally it makes the right choice but the test case provided with this PR highlights a case where is doesn't. > > If the `JNDIRealm` is hard-coded to use GSSAPI via `authentication="GSSAPI"` then it always uses that even if the additional environment properties for user/password authentication are set. > > I see two ways to fix this. > > 1. If user/password auth is attempted when `authentication="GSSAPI"` is set then always fail the authentication. Note that this approach would prevent this use case. > > 2. If user/password auth is attempted when `authentication="GSSAPI"` then remove the environment properties that configured GSSAPI, perform user/password authentication and then restore the GSSAPI environment properties. We already do the inverse when performing SPNEGO authentication. > > > I'm going to look into the feasibility of option 2. It is not that easy and I do not agree with that. Here are cases which will not work: * SPNEGO is performed, but access through LDAP uses a service account to perform a single or SASL bind. Hence, no delegated credential is used. * User comes from one realm, but domain controller is in another realm. While Kerberos perfectly supports cross-realm authentication, neither a simple bind nor a non-GSSAPI SASL bind will work. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] SpnegoAuthenticator allows wrong calls to login/logout methods [tomcat]
natalia-s-ivanova commented on PR #819:
URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668518211
> 2. If user/password auth is attempted when `authentication="GSSAPI"` then
remove the environment properties that configured GSSAPI, perform user/password
authentication and then restore the GSSAPI environment properties. We already
do the inverse when performing SPNEGO authentication.
We also had a similar quick fix of it for such kind of application, still
not sure that this such kind of fix should be in general code:
```
public class MixedSpnegoLdapJNDIRealm extends JNDIRealm {
protected boolean checkCredentials(DirContext context, User user, String
credentials) throws NamingException {
boolean validated;
if (userPassword == null) {
Hashtable preservedEnvironment = context.getEnvironment();
context.removeFromEnvironment(SECURITY_AUTHENTICATION);
validated = bindAsUser(context, user, credentials);
context.addToEnvironment(SECURITY_AUTHENTICATION,
preservedEnvironment.get(SECURITY_AUTHENTICATION));
} else {
validated = compareCredentials(context, user, credentials);
}
return validated;
}
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] SpnegoAuthenticator allows wrong calls to login/logout methods [tomcat]
markt-asf commented on PR #819: URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668483655 I think the current support for `logout()` can stay. I don't see a reason to change it. I think the issue with `login()` is slightly different. The `JNDIRealm` attempts to switch between SPNEGO/kerberos and username/password based on which `Realm.authenticate(...)` call is made. Generally it makes the right choice but the test case provided with this PR highlights a case where is doesn't. If the `JNDIRealm` is hard-coded to use GSSAPI via `authentication="GSSAPI"` then it always uses that even if the additional environment properties for user/password authentication are set. I see two ways to fix this. 1. If user/password auth is attempted when `authentication="GSSAPI"` is set then always fail the authentication. Note that this approach would prevent this use case. 2. If user/password auth is attempted when `authentication="GSSAPI"` then remove the environment properties that configured GSSAPI, perform user/password authentication and then restore the GSSAPI environment properties. We already do the inverse when performing SPNEGO authentication. I'm going to look into the feasibility of option 2. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] SpnegoAuthenticator allows wrong calls to login/logout methods [tomcat]
markt-asf commented on PR #819: URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668831744 > It is not that easy and I do not agree with that. Here are cases which will not work: As the OP has indicated, they are already using a solution along these lines and it works for them. > * SPNEGO is performed, but access through LDAP uses a service account to perform a single or SASL bind. Hence, no delegated credential is used. This works already. If the delegated credential is presented, it will be used. > * User comes from one realm, but domain controller is in another realm. While Kerberos perfectly supports cross-realm authentication, neither a simple bind nor a non-GSSAPI SASL bind will work. Then it doesn't work. Things are no worse than they are now. > Yet another problem is that you degrade from a strong authentication method to a weaker one. That is the application developers choice to do that. This happens already if `authentication="GSSAPI"` is not set. We can add a note to the docs to clarify how this is handled. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] SpnegoAuthenticator allows wrong calls to login/logout methods [tomcat]
michael-o commented on PR #819: URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668906926 > > It is not that easy and I do not agree with that. Here are cases which will not work: > > As the OP has indicated, they are already using a solution along these lines and it works for them. > > > * SPNEGO is performed, but access through LDAP uses a service account to perform a single or SASL bind. Hence, no delegated credential is used. > > This works already. If the delegated credential is presented, it will be used. No, you misunderstood what I have written. You cannot expect the bind to use Kerbwros at all. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] SpnegoAuthenticator allows wrong calls to login/logout methods [tomcat]
markt-asf commented on PR #819: URL: https://github.com/apache/tomcat/pull/819#issuecomment-2668964117 I don't expect the bind to use kerberos, I am debugging my way through the code and seeing kerberos being used. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Improve docs for useDelegatedCredential
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new a6c40b8765 Improve docs for useDelegatedCredential a6c40b8765 is described below commit a6c40b876577918b88afd3900931b83fc0dc3f40 Author: Mark Thomas AuthorDate: Wed Feb 19 16:25:27 2025 + Improve docs for useDelegatedCredential --- webapps/docs/config/realm.xml | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml index ae77d04614..6d5f10261c 100644 --- a/webapps/docs/config/realm.xml +++ b/webapps/docs/config/realm.xml @@ -519,8 +519,12 @@ When the JNDIRealm is used with the SPNEGO authenticator, delegated credentials for the user may be available. If such credentials are present, this attribute controls whether or not they are used to -connect to the directory. If not specified, the default value of -true is used. +connect to the directory. If delegated credentials are present but not +used because this attribute is false, the behaviour will be +as described in roleSearchAsUser, userPattern +and userSearchAsUser when delegated credentials are not +used. If not specified, the default value of true is +used. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Improve docs for useDelegatedCredential
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 11.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/11.0.x by this push: new 9625583ab6 Improve docs for useDelegatedCredential 9625583ab6 is described below commit 9625583ab69771a5b11f9bbbaa43385e73394093 Author: Mark Thomas AuthorDate: Wed Feb 19 16:25:27 2025 + Improve docs for useDelegatedCredential --- webapps/docs/config/realm.xml | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml index 2d559008eb..1544c04b5a 100644 --- a/webapps/docs/config/realm.xml +++ b/webapps/docs/config/realm.xml @@ -519,8 +519,12 @@ When the JNDIRealm is used with the SPNEGO authenticator, delegated credentials for the user may be available. If such credentials are present, this attribute controls whether or not they are used to -connect to the directory. If not specified, the default value of -true is used. +connect to the directory. If delegated credentials are present but not +used because this attribute is false, the behaviour will be +as described in roleSearchAsUser, userPattern +and userSearchAsUser when delegated credentials are not +used. If not specified, the default value of true is +used. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated (5708495734 -> 11056e8d52)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from 5708495734 Move constant to start of class add 11056e8d52 Improve docs for useDelegatedCredential No new revisions were added by this update. Summary of changes: webapps/docs/config/realm.xml | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Use a constant for GSSAPI authentication name
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 32082b6712 Use a constant for GSSAPI authentication name
32082b6712 is described below
commit 32082b6712ef304bb17685d9b9a3dcc8f5e83248
Author: Mark Thomas
AuthorDate: Wed Feb 19 16:31:41 2025 +
Use a constant for GSSAPI authentication name
---
java/org/apache/catalina/realm/JNDIRealm.java | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index b45e160231..600f151f31 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -151,6 +151,9 @@ public class JNDIRealm extends RealmBase {
*/
public static final String DEREF_ALIASES = "java.naming.ldap.derefAliases";
+private static final String AUTHENTICATION_NAME_GSSAPI = "GSSAPI";
+
+
/**
* The type of authentication to use
*/
@@ -2405,7 +2408,7 @@ public class JNDIRealm extends RealmBase {
// Preserve the current context environment parameters
preservedEnvironment = context.getEnvironment();
// Set up context
-context.addToEnvironment(Context.SECURITY_AUTHENTICATION,
"GSSAPI");
+context.addToEnvironment(Context.SECURITY_AUTHENTICATION,
AUTHENTICATION_NAME_GSSAPI);
context.addToEnvironment("javax.security.sasl.server.authentication", "true");
context.addToEnvironment("javax.security.sasl.qop",
spnegoDelegationQop);
// Note: Subject already set in SPNEGO authenticator so no need
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated (11056e8d52 -> 2e0542a0d1)
This is an automated email from the ASF dual-hosted git repository. markt pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git from 11056e8d52 Improve docs for useDelegatedCredential add 2e0542a0d1 Use a constant for GSSAPI authentication name No new revisions were added by this update. Summary of changes: java/org/apache/catalina/realm/JNDIRealm.java | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Use a constant for GSSAPI authentication name
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new e2586cbc62 Use a constant for GSSAPI authentication name
e2586cbc62 is described below
commit e2586cbc62fd06b5dae21d84e934e5801912f5b8
Author: Mark Thomas
AuthorDate: Wed Feb 19 16:31:41 2025 +
Use a constant for GSSAPI authentication name
---
java/org/apache/catalina/realm/JNDIRealm.java | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index bd3711b13b..a41d74f613 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -153,6 +153,9 @@ public class JNDIRealm extends RealmBase {
*/
public static final String DEREF_ALIASES = "java.naming.ldap.derefAliases";
+private static final String AUTHENTICATION_NAME_GSSAPI = "GSSAPI";
+
+
/**
* The type of authentication to use
*/
@@ -2402,7 +2405,7 @@ public class JNDIRealm extends RealmBase {
// Preserve the current context environment parameters
preservedEnvironment = context.getEnvironment();
// Set up context
-context.addToEnvironment(Context.SECURITY_AUTHENTICATION,
"GSSAPI");
+context.addToEnvironment(Context.SECURITY_AUTHENTICATION,
AUTHENTICATION_NAME_GSSAPI);
context.addToEnvironment("javax.security.sasl.server.authentication", "true");
context.addToEnvironment("javax.security.sasl.qop",
spnegoDelegationQop);
// Note: Subject already set in SPNEGO authenticator so no need
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Move constant to start of class
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 5708495734 Move constant to start of class
5708495734 is described below
commit 57084957341b266d6e68945e2ddc95700953d27b
Author: Mark Thomas
AuthorDate: Wed Feb 19 16:21:50 2025 +
Move constant to start of class
---
java/org/apache/catalina/realm/JNDIRealm.java | 12 +---
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index ac61f7730d..bd3711b13b 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -147,7 +147,11 @@ import org.ietf.jgss.GSSName;
*/
public class JNDIRealm extends RealmBase {
-// - Instance Variables
+/**
+ * Constant that holds the name of the environment property for specifying
the manner in which aliases should be
+ * dereferenced.
+ */
+public static final String DEREF_ALIASES = "java.naming.ldap.derefAliases";
/**
* The type of authentication to use
@@ -180,12 +184,6 @@ public class JNDIRealm extends RealmBase {
*/
protected String derefAliases = null;
-/**
- * Constant that holds the name of the environment property for specifying
the manner in which aliases should be
- * dereferenced.
- */
-public static final String DEREF_ALIASES = "java.naming.ldap.derefAliases";
-
/**
* The protocol that will be used in the communication with the directory
server.
*/
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 69575] org.apache.coyote.CompressionConfig doesn't recognize "zstd" compression
https://bz.apache.org/bugzilla/show_bug.cgi?id=69575 --- Comment #4 from Christopher Schultz --- I'm happy to add this capability, but it's not immediately clear to be how to get all of the current Content-Encoding header values. Would I actually have to loop through all headers, assembling as I go? Are there examples of that in other places? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Improve docs for useDelegatedCredential
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new cc58f50880 Improve docs for useDelegatedCredential cc58f50880 is described below commit cc58f50880b90ba7cf4440e0c5576500c9fd21d0 Author: Mark Thomas AuthorDate: Wed Feb 19 16:25:27 2025 + Improve docs for useDelegatedCredential --- webapps/docs/config/realm.xml | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml index 8db7609703..a9dc10bb43 100644 --- a/webapps/docs/config/realm.xml +++ b/webapps/docs/config/realm.xml @@ -519,8 +519,12 @@ When the JNDIRealm is used with the SPNEGO authenticator, delegated credentials for the user may be available. If such credentials are present, this attribute controls whether or not they are used to -connect to the directory. If not specified, the default value of -true is used. +connect to the directory. If delegated credentials are present but not +used because this attribute is false, the behaviour will be +as described in roleSearchAsUser, userPattern +and userSearchAsUser when delegated credentials are not +used. If not specified, the default value of true is +used. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Move constant to start of class
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new c037d2148d Move constant to start of class
c037d2148d is described below
commit c037d2148d40d82c2fd13e970c1a530b65718c3e
Author: Mark Thomas
AuthorDate: Wed Feb 19 16:21:50 2025 +
Move constant to start of class
---
java/org/apache/catalina/realm/JNDIRealm.java | 12 +---
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index ac61f7730d..bd3711b13b 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -147,7 +147,11 @@ import org.ietf.jgss.GSSName;
*/
public class JNDIRealm extends RealmBase {
-// - Instance Variables
+/**
+ * Constant that holds the name of the environment property for specifying
the manner in which aliases should be
+ * dereferenced.
+ */
+public static final String DEREF_ALIASES = "java.naming.ldap.derefAliases";
/**
* The type of authentication to use
@@ -180,12 +184,6 @@ public class JNDIRealm extends RealmBase {
*/
protected String derefAliases = null;
-/**
- * Constant that holds the name of the environment property for specifying
the manner in which aliases should be
- * dereferenced.
- */
-public static final String DEREF_ALIASES = "java.naming.ldap.derefAliases";
-
/**
* The protocol that will be used in the communication with the directory
server.
*/
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Move constant to start of class
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 79509006d6 Move constant to start of class
79509006d6 is described below
commit 79509006d6c870fef2b168cc3dbcc86da5d90d38
Author: Mark Thomas
AuthorDate: Wed Feb 19 16:21:50 2025 +
Move constant to start of class
---
java/org/apache/catalina/realm/JNDIRealm.java | 12 +---
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index ed88ba1c48..b45e160231 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -145,7 +145,11 @@ import org.ietf.jgss.GSSName;
*/
public class JNDIRealm extends RealmBase {
-// - Instance Variables
+/**
+ * Constant that holds the name of the environment property for specifying
the manner in which aliases should be
+ * dereferenced.
+ */
+public static final String DEREF_ALIASES = "java.naming.ldap.derefAliases";
/**
* The type of authentication to use
@@ -178,12 +182,6 @@ public class JNDIRealm extends RealmBase {
*/
protected String derefAliases = null;
-/**
- * Constant that holds the name of the environment property for specifying
the manner in which aliases should be
- * dereferenced.
- */
-public static final String DEREF_ALIASES = "java.naming.ldap.derefAliases";
-
/**
* The protocol that will be used in the communication with the directory
server.
*/
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Move constant to start of class
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 603aa2eb24 Move constant to start of class
603aa2eb24 is described below
commit 603aa2eb24b2b7b3d1644d45ceb48541e1da9673
Author: Mark Thomas
AuthorDate: Wed Feb 19 16:21:50 2025 +
Move constant to start of class
---
java/org/apache/catalina/realm/JNDIRealm.java | 12 +---
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index c825511eec..8362291791 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -145,7 +145,11 @@ import org.ietf.jgss.GSSName;
*/
public class JNDIRealm extends RealmBase {
-// - Instance Variables
+/**
+ * Constant that holds the name of the environment property for specifying
the manner in which aliases should be
+ * dereferenced.
+ */
+public static final String DEREF_ALIASES = "java.naming.ldap.derefAliases";
/**
* The type of authentication to use
@@ -178,12 +182,6 @@ public class JNDIRealm extends RealmBase {
*/
protected String derefAliases = null;
-/**
- * Constant that holds the name of the environment property for specifying
the manner in which aliases should be
- * dereferenced.
- */
-public static final String DEREF_ALIASES = "java.naming.ldap.derefAliases";
-
/**
* The protocol that will be used in the communication with the directory
server.
*/
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Use a constant for GSSAPI authentication name
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 85e322aa5a Use a constant for GSSAPI authentication name
85e322aa5a is described below
commit 85e322aa5a315395138b1798a6dd2fc30ea90a49
Author: Mark Thomas
AuthorDate: Wed Feb 19 16:31:41 2025 +
Use a constant for GSSAPI authentication name
---
java/org/apache/catalina/realm/JNDIRealm.java | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index 8362291791..2a7f52f687 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -151,6 +151,9 @@ public class JNDIRealm extends RealmBase {
*/
public static final String DEREF_ALIASES = "java.naming.ldap.derefAliases";
+private static final String AUTHENTICATION_NAME_GSSAPI = "GSSAPI";
+
+
/**
* The type of authentication to use
*/
@@ -2406,7 +2409,7 @@ public class JNDIRealm extends RealmBase {
// Preserve the current context environment parameters
preservedEnvironment = context.getEnvironment();
// Set up context
-context.addToEnvironment(Context.SECURITY_AUTHENTICATION,
"GSSAPI");
+context.addToEnvironment(Context.SECURITY_AUTHENTICATION,
AUTHENTICATION_NAME_GSSAPI);
context.addToEnvironment("javax.security.sasl.server.authentication", "true");
context.addToEnvironment("javax.security.sasl.qop",
spnegoDelegationQop);
// Note: Subject already set in SPNEGO authenticator so no need
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Ensure user credentials are removed when no longer required
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 34c94915e5 Ensure user credentials are removed when no longer required
34c94915e5 is described below
commit 34c94915e56ef6def169fd4abb9a213c9c8810f7
Author: Mark Thomas
AuthorDate: Wed Feb 19 16:38:24 2025 +
Ensure user credentials are removed when no longer required
---
java/org/apache/catalina/realm/JNDIRealm.java | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index 600f151f31..4266aa6ac5 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1837,11 +1837,11 @@ public class JNDIRealm extends RealmBase {
containerLog.trace(" validating credentials by binding as the
user");
}
-userCredentialsAdd(context, dn, credentials);
-
-// Elicit an LDAP bind operation
boolean validated = false;
+
+// Elicit an LDAP bind operation using the provided user credentials
try {
+userCredentialsAdd(context, dn, credentials);
if (containerLog.isTraceEnabled()) {
containerLog.trace(" binding as " + dn);
}
@@ -1851,10 +1851,10 @@ public class JNDIRealm extends RealmBase {
if (containerLog.isTraceEnabled()) {
containerLog.trace(" bind attempt failed");
}
+} finally {
+userCredentialsRemove(context);
}
-userCredentialsRemove(context);
-
return validated;
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Ensure user credentials are removed when no longer required
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 66372303a7 Ensure user credentials are removed when no longer required
66372303a7 is described below
commit 66372303a772edb15eebab8ab766cc3d059af032
Author: Mark Thomas
AuthorDate: Wed Feb 19 16:38:24 2025 +
Ensure user credentials are removed when no longer required
---
java/org/apache/catalina/realm/JNDIRealm.java | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index a41d74f613..8bb9868a4d 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1839,11 +1839,11 @@ public class JNDIRealm extends RealmBase {
containerLog.trace(" validating credentials by binding as the
user");
}
-userCredentialsAdd(context, dn, credentials);
-
-// Elicit an LDAP bind operation
boolean validated = false;
+
+// Elicit an LDAP bind operation using the provided user credentials
try {
+userCredentialsAdd(context, dn, credentials);
if (containerLog.isTraceEnabled()) {
containerLog.trace(" binding as " + dn);
}
@@ -1853,10 +1853,10 @@ public class JNDIRealm extends RealmBase {
if (containerLog.isTraceEnabled()) {
containerLog.trace(" bind attempt failed");
}
+} finally {
+userCredentialsRemove(context);
}
-userCredentialsRemove(context);
-
return validated;
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Ensure user credentials are removed when no longer required
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new ac3208e4b1 Ensure user credentials are removed when no longer required
ac3208e4b1 is described below
commit ac3208e4b195e55e9a5086f908d8d15abcea6e94
Author: Mark Thomas
AuthorDate: Wed Feb 19 16:38:24 2025 +
Ensure user credentials are removed when no longer required
---
java/org/apache/catalina/realm/JNDIRealm.java | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index a41d74f613..8bb9868a4d 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1839,11 +1839,11 @@ public class JNDIRealm extends RealmBase {
containerLog.trace(" validating credentials by binding as the
user");
}
-userCredentialsAdd(context, dn, credentials);
-
-// Elicit an LDAP bind operation
boolean validated = false;
+
+// Elicit an LDAP bind operation using the provided user credentials
try {
+userCredentialsAdd(context, dn, credentials);
if (containerLog.isTraceEnabled()) {
containerLog.trace(" binding as " + dn);
}
@@ -1853,10 +1853,10 @@ public class JNDIRealm extends RealmBase {
if (containerLog.isTraceEnabled()) {
containerLog.trace(" bind attempt failed");
}
+} finally {
+userCredentialsRemove(context);
}
-userCredentialsRemove(context);
-
return validated;
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Ensure user credentials are removed when no longer required
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new bdd8318130 Ensure user credentials are removed when no longer required
bdd8318130 is described below
commit bdd83181305346f17b1db0bacfa6b114ed3ec290
Author: Mark Thomas
AuthorDate: Wed Feb 19 16:38:24 2025 +
Ensure user credentials are removed when no longer required
---
java/org/apache/catalina/realm/JNDIRealm.java | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index 2a7f52f687..18e723c6aa 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1837,11 +1837,11 @@ public class JNDIRealm extends RealmBase {
containerLog.trace(" validating credentials by binding as the
user");
}
-userCredentialsAdd(context, dn, credentials);
-
-// Elicit an LDAP bind operation
boolean validated = false;
+
+// Elicit an LDAP bind operation using the provided user credentials
try {
+userCredentialsAdd(context, dn, credentials);
if (containerLog.isTraceEnabled()) {
containerLog.trace(" binding as " + dn);
}
@@ -1851,10 +1851,10 @@ public class JNDIRealm extends RealmBase {
if (containerLog.isTraceEnabled()) {
containerLog.trace(" bind attempt failed");
}
+} finally {
+userCredentialsRemove(context);
}
-userCredentialsRemove(context);
-
return validated;
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Fix credential validation when JNDIRealm is configured to use GSSAPI
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 99e3403b0d Fix credential validation when JNDIRealm is configured to
use GSSAPI
99e3403b0d is described below
commit 99e3403b0dc814d4a8a13268e98073d585e9c129
Author: Mark Thomas
AuthorDate: Wed Feb 19 17:11:47 2025 +
Fix credential validation when JNDIRealm is configured to use GSSAPI
Enable the validation of credentials provided to
HttpServletRequest.login(String username, String password)
---
java/org/apache/catalina/realm/JNDIRealm.java | 7 +++
webapps/docs/changelog.xml| 5 +
webapps/docs/config/realm.xml | 11 ---
3 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index 8bb9868a4d..c6d41b9e95 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1840,10 +1840,15 @@ public class JNDIRealm extends RealmBase {
}
boolean validated = false;
+Hashtable preservedEnvironment = context.getEnvironment();
// Elicit an LDAP bind operation using the provided user credentials
try {
userCredentialsAdd(context, dn, credentials);
+// Need to make sure GSSAPI SASL authentication is not used if
configured
+if
(AUTHENTICATION_NAME_GSSAPI.equals(preservedEnvironment.get(Context.SECURITY_AUTHENTICATION)))
{
+context.removeFromEnvironment(Context.SECURITY_AUTHENTICATION);
+}
if (containerLog.isTraceEnabled()) {
containerLog.trace(" binding as " + dn);
}
@@ -1854,6 +1859,8 @@ public class JNDIRealm extends RealmBase {
containerLog.trace(" bind attempt failed");
}
} finally {
+// Restore GSSAPI SASL if previously configured
+restoreEnvironmentParameter(context,
Context.SECURITY_AUTHENTICATION, preservedEnvironment);
userCredentialsRemove(context);
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e4348106aa..be1b259ff8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -154,6 +154,11 @@
Improve the mechanism for detecting whether a web application has been
deployed to a case sensitive or a case insensitive file system. (markt)
+
+Enable the JNDIRealm to validate credentials provided to
+HttpServletRequest.login(String username, String password)
+when the realm is configured to use GSSAPI authentication. (markt)
+
diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml
index 860881fd7f..b5d5370cc2 100644
--- a/webapps/docs/config/realm.xml
+++ b/webapps/docs/config/realm.xml
@@ -278,9 +278,14 @@
-A string specifying the type of authentication to use.
-"none", "simple", "strong" or a provider specific definition
-can be used. If no value is given the providers default is used.
+A string specifying the type of authentication to use. "none",
+"simple", "strong" or a provider specific definition can be used. If
the
+provider specific mechanism "GSSAPI" is specified and supported by the
+provider, there are some circumstances, such as handling calls to
+HttpServletRequest.login(String username, String
password),
+where "GSSAPI" will not be used and the user will be
+authenticated as described in userPassword. If no value is
+given, the providers default is used.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Fix credential validation when JNDIRealm is configured to use GSSAPI
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 0cd21c0393 Fix credential validation when JNDIRealm is configured to
use GSSAPI
0cd21c0393 is described below
commit 0cd21c0393b8811af22daddbba7b4e7328e2d79e
Author: Mark Thomas
AuthorDate: Wed Feb 19 17:11:47 2025 +
Fix credential validation when JNDIRealm is configured to use GSSAPI
Enable the validation of credentials provided to
HttpServletRequest.login(String username, String password)
---
java/org/apache/catalina/realm/JNDIRealm.java | 7 +++
webapps/docs/changelog.xml| 5 +
webapps/docs/config/realm.xml | 11 ---
3 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index 4266aa6ac5..fa40238c87 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1838,10 +1838,15 @@ public class JNDIRealm extends RealmBase {
}
boolean validated = false;
+Hashtable preservedEnvironment = context.getEnvironment();
// Elicit an LDAP bind operation using the provided user credentials
try {
userCredentialsAdd(context, dn, credentials);
+// Need to make sure GSSAPI SASL authentication is not used if
configured
+if
(AUTHENTICATION_NAME_GSSAPI.equals(preservedEnvironment.get(Context.SECURITY_AUTHENTICATION)))
{
+context.removeFromEnvironment(Context.SECURITY_AUTHENTICATION);
+}
if (containerLog.isTraceEnabled()) {
containerLog.trace(" binding as " + dn);
}
@@ -1852,6 +1857,8 @@ public class JNDIRealm extends RealmBase {
containerLog.trace(" bind attempt failed");
}
} finally {
+// Restore GSSAPI SASL if previously configured
+restoreEnvironmentParameter(context,
Context.SECURITY_AUTHENTICATION, preservedEnvironment);
userCredentialsRemove(context);
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c9920e3a74..78c9b2db78 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -120,6 +120,11 @@
Improve the mechanism for detecting whether a web application has been
deployed to a case sensitive or a case insensitive file system. (markt)
+
+Enable the JNDIRealm to validate credentials provided to
+HttpServletRequest.login(String username, String password)
+when the realm is configured to use GSSAPI authentication. (markt)
+
diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml
index 6d5f10261c..860c839ece 100644
--- a/webapps/docs/config/realm.xml
+++ b/webapps/docs/config/realm.xml
@@ -278,9 +278,14 @@
-A string specifying the type of authentication to use.
-"none", "simple", "strong" or a provider specific definition
-can be used. If no value is given the providers default is used.
+A string specifying the type of authentication to use. "none",
+"simple", "strong" or a provider specific definition can be used. If
the
+provider specific mechanism "GSSAPI" is specified and supported by the
+provider, there are some circumstances, such as handling calls to
+HttpServletRequest.login(String username, String
password),
+where "GSSAPI" will not be used and the user will be
+authenticated as described in userPassword. If no value is
+given, the providers default is used.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Fix credential validation when JNDIRealm is configured to use GSSAPI
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new c32bbd37ea Fix credential validation when JNDIRealm is configured to
use GSSAPI
c32bbd37ea is described below
commit c32bbd37ea9ee0aaab848af4ee1c9a76e84240ea
Author: Mark Thomas
AuthorDate: Wed Feb 19 17:11:47 2025 +
Fix credential validation when JNDIRealm is configured to use GSSAPI
Enable the validation of credentials provided to
HttpServletRequest.login(String username, String password)
---
java/org/apache/catalina/realm/JNDIRealm.java | 7 +++
webapps/docs/changelog.xml| 5 +
webapps/docs/config/realm.xml | 11 ---
3 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index 18e723c6aa..4a78c9ebc5 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1838,10 +1838,15 @@ public class JNDIRealm extends RealmBase {
}
boolean validated = false;
+Hashtable preservedEnvironment = context.getEnvironment();
// Elicit an LDAP bind operation using the provided user credentials
try {
userCredentialsAdd(context, dn, credentials);
+// Need to make sure GSSAPI SASL authentication is not used if
configured
+if
(AUTHENTICATION_NAME_GSSAPI.equals(preservedEnvironment.get(Context.SECURITY_AUTHENTICATION)))
{
+context.removeFromEnvironment(Context.SECURITY_AUTHENTICATION);
+}
if (containerLog.isTraceEnabled()) {
containerLog.trace(" binding as " + dn);
}
@@ -1852,6 +1857,8 @@ public class JNDIRealm extends RealmBase {
containerLog.trace(" bind attempt failed");
}
} finally {
+// Restore GSSAPI SASL if previously configured
+restoreEnvironmentParameter(context,
Context.SECURITY_AUTHENTICATION, preservedEnvironment);
userCredentialsRemove(context);
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9a36a8cc2d..71ed6b28ba 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -120,6 +120,11 @@
Improve the mechanism for detecting whether a web application has been
deployed to a case sensitive or a case insensitive file system. (markt)
+
+Enable the JNDIRealm to validate credentials provided to
+HttpServletRequest.login(String username, String password)
+when the realm is configured to use GSSAPI authentication. (markt)
+
diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml
index a9dc10bb43..fa5a72c9ad 100644
--- a/webapps/docs/config/realm.xml
+++ b/webapps/docs/config/realm.xml
@@ -278,9 +278,14 @@
-A string specifying the type of authentication to use.
-"none", "simple", "strong" or a provider specific definition
-can be used. If no value is given the providers default is used.
+A string specifying the type of authentication to use. "none",
+"simple", "strong" or a provider specific definition can be used. If
the
+provider specific mechanism "GSSAPI" is specified and supported by the
+provider, there are some circumstances, such as handling calls to
+HttpServletRequest.login(String username, String
password),
+where "GSSAPI" will not be used and the user will be
+authenticated as described in userPassword. If no value is
+given, the providers default is used.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Fix credential validation when JNDIRealm is configured to use GSSAPI
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new fd96ab4156 Fix credential validation when JNDIRealm is configured to
use GSSAPI
fd96ab4156 is described below
commit fd96ab415631eea44636c94f911dd38427070ef9
Author: Mark Thomas
AuthorDate: Wed Feb 19 17:11:47 2025 +
Fix credential validation when JNDIRealm is configured to use GSSAPI
Enable the validation of credentials provided to
HttpServletRequest.login(String username, String password)
---
java/org/apache/catalina/realm/JNDIRealm.java | 7 +++
webapps/docs/changelog.xml| 5 +
webapps/docs/config/realm.xml | 11 ---
3 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index 8bb9868a4d..c6d41b9e95 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1840,10 +1840,15 @@ public class JNDIRealm extends RealmBase {
}
boolean validated = false;
+Hashtable preservedEnvironment = context.getEnvironment();
// Elicit an LDAP bind operation using the provided user credentials
try {
userCredentialsAdd(context, dn, credentials);
+// Need to make sure GSSAPI SASL authentication is not used if
configured
+if
(AUTHENTICATION_NAME_GSSAPI.equals(preservedEnvironment.get(Context.SECURITY_AUTHENTICATION)))
{
+context.removeFromEnvironment(Context.SECURITY_AUTHENTICATION);
+}
if (containerLog.isTraceEnabled()) {
containerLog.trace(" binding as " + dn);
}
@@ -1854,6 +1859,8 @@ public class JNDIRealm extends RealmBase {
containerLog.trace(" bind attempt failed");
}
} finally {
+// Restore GSSAPI SASL if previously configured
+restoreEnvironmentParameter(context,
Context.SECURITY_AUTHENTICATION, preservedEnvironment);
userCredentialsRemove(context);
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index f1ce57698b..ca0514f489 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -120,6 +120,11 @@
Improve the mechanism for detecting whether a web application has been
deployed to a case sensitive or a case insensitive file system. (markt)
+
+Enable the JNDIRealm to validate credentials provided to
+HttpServletRequest.login(String username, String password)
+when the realm is configured to use GSSAPI authentication. (markt)
+
diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml
index 1544c04b5a..cff822904f 100644
--- a/webapps/docs/config/realm.xml
+++ b/webapps/docs/config/realm.xml
@@ -278,9 +278,14 @@
-A string specifying the type of authentication to use.
-"none", "simple", "strong" or a provider specific definition
-can be used. If no value is given the providers default is used.
+A string specifying the type of authentication to use. "none",
+"simple", "strong" or a provider specific definition can be used. If
the
+provider specific mechanism "GSSAPI" is specified and supported by the
+provider, there are some circumstances, such as handling calls to
+HttpServletRequest.login(String username, String
password),
+where "GSSAPI" will not be used and the user will be
+authenticated as described in userPassword. If no value is
+given, the providers default is used.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] SpnegoAuthenticator allows wrong calls to login/logout methods [tomcat]
markt-asf commented on PR #819: URL: https://github.com/apache/tomcat/pull/819#issuecomment-2669268717 Thanks for the test case and the detailed configuration settings. That made working on this a lot easier. I have applied a fairly narrow fix for this issue that is similar to the `MixedSpnegoLdapJNDIRealm` you were using. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] SpnegoAuthenticator allows wrong calls to login/logout methods [tomcat]
markt-asf closed pull request #819: SpnegoAuthenticator allows wrong calls to login/logout methods URL: https://github.com/apache/tomcat/pull/819 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Buildbot failure in on tomcat-12.0.x
Build status: BUILD FAILED: failed compile (failure) Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/120/builds/387 Blamelist: Mark Thomas Build Text: failed compile (failure) Status Detected: new failure Build Source Stamp: [branch main] 11056e8d52069f4270095f396047beb9fbba0e5c Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 shell_6: 0 compile: 1 shell_7: 0 shell_8: 0 shell_9: 0 shell_10: 0 Rsync docs to nightlies.apache.org: 0 shell_11: 0 Rsync RAT to nightlies.apache.org: 0 compile_1: 2 shell_12: 0 Rsync Logs to nightlies.apache.org: 0 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 69575] org.apache.coyote.CompressionConfig doesn't recognize "zstd" compression
https://bz.apache.org/bugzilla/show_bug.cgi?id=69575 Christopher Schultz changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|FIXED |--- --- Comment #3 from Christopher Schultz --- Unfortunately, there is not really a generalizable solution for double-compression, but I think we /can/ do better. Some Content-Encoding values indicate that compression is being performed (e.g. gzip, deflate, lzma, br, etc.) while others mean ... something else entirely (e.g. exi, rsync, and some odd Microsoft-defined things). Of course there is also "identity" which we can understand to be trivially ignorable. Most of the tokens that we would consider "problematic" would be the ones that are far less common (e.g. Microsoft stuff, rsync, etc.) and maybe we can ignore those. Skipping gzip compression on known-compressed Content-Encodings (gzip, deflate, br, compress, and zstd) is definitely worth implementing as Rémy has done here, so that's good. It is far more "correct" to append ", gzip" to any Content-Encoding that is already present (unless it's exactly "identity"), though Tomcat tends to be an origin server and not a proxy. I think we should append and not replace. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Enhance case sensitivity check [tomcat]
markt-asf commented on PR #820: URL: https://github.com/apache/tomcat/pull/820#issuecomment-2669367602 Mounting case insensitive file systems on Linux adds yet more complexity. And I don't see an easy way to address that - especially if we want to avoid creating files to test case sensitivity (we do). I am beginning to think skipping the check and following the case insensitive code path is the way to go. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Case sensitivity checks
All, A case sensitivity test was added to DirResourceSet as part of the fix for CVE-2024-50379. It is also used to check whether the JVM setting described in CVE-2024-56337 is required. The current case sensitivity check is imperfect. Things are complicated by: - Windows introducing per directory case sensitivity - Linux not returning the actual case in getCanonicalPath() when a case insensitive file system is mounted - not wanting to have to create files to test case sensitivity All of these complications are unlikely edge cases but they do exist. I am beginning to think that the simplest and most robust solution is to remove the case sensitivity test and just keep the code paths for case insensitive file systems. The impact of that should be: - users on Linux may see CVE-2024-56337 warnings unnecessarily - users on Linux with write enabled may see a marginal performance impact if users try writing to and reading from files concurrently that differ only by case The users seeing CVE-2024-56337 will likely be embedded users and I have a couple of ideas there since I'm getting reports via $work the most recent releases fixed the issue on Linux but not Windows nor MacOS. I'll follow up on that (probably tomorrow) once I have had a chat with folks at $work as any fix is unlikely to be just in Tomcat. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] BZ69446 - add parameter maxPutFileSize in DefaultServlet [tomcat]
Chenjp commented on PR #823: URL: https://github.com/apache/tomcat/pull/823#issuecomment-2670515402 @rmaucher @markt-asf I have to talk here since previous vul report has been rejected. I really think the target issue of this PR is a perfect match of CWE-770 / CWE-400. ***```The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.```*** see https://cwe.mitre.org/data/definitions/770.html and https://cwe.mitre.org/data/definitions/400.html Anyway, one or two simple requests result in creation of a >=1TB size file on server side is not acceptable absolutely. If application server discard this issue, then biz developer have to face it directly, or enroll firewall block policy to anti it. A online webdav provider has been identified and a 10MB file is uploaded successfully with 1-byte request content. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Case sensitivity checks
On Wed, Feb 19, 2025 at 7:15 PM Mark Thomas wrote: > > All, > > A case sensitivity test was added to DirResourceSet as part of the fix > for CVE-2024-50379. It is also used to check whether the JVM setting > described in CVE-2024-56337 is required. > > The current case sensitivity check is imperfect. Things are complicated by: > - Windows introducing per directory case sensitivity > - Linux not returning the actual case in getCanonicalPath() when a case >insensitive file system is mounted > - not wanting to have to create files to test case sensitivity > > All of these complications are unlikely edge cases but they do exist. It's more than unlikely, it's clear it's not going to happen. I don't think we can chase down every misconfiguration ... > I am beginning to think that the simplest and most robust solution is to > remove the case sensitivity test and just keep the code paths for case > insensitive file systems. > > The impact of that should be: > - users on Linux may see CVE-2024-56337 warnings unnecessarily > - users on Linux with write enabled may see a marginal performance >impact if users try writing to and reading from files concurrently >that differ only by case +1 > The users seeing CVE-2024-56337 will likely be embedded users and I have > a couple of ideas there since I'm getting reports via $work the most > recent releases fixed the issue on Linux but not Windows nor MacOS. > > I'll follow up on that (probably tomorrow) once I have had a chat with > folks at $work as any fix is unlikely to be just in Tomcat. Ok. Rémy > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] BZ69446 - add parameter maxPutFileSize in DefaultServlet [tomcat]
rmaucher commented on PR #823: URL: https://github.com/apache/tomcat/pull/823#issuecomment-2670663780 We answered this quite a few times already, so let's leave it at that. Write enabled allows editing webapp contents, which is reserved to administrators. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] BZ69446 - add parameter maxPutFileSize in DefaultServlet [tomcat]
rmaucher closed pull request #823: BZ69446 - add parameter maxPutFileSize in DefaultServlet URL: https://github.com/apache/tomcat/pull/823 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] BZ69446 - add parameter maxPutFileSize in DefaultServlet [tomcat]
Chenjp commented on PR #823: URL: https://github.com/apache/tomcat/pull/823#issuecomment-2670712406 Ok, final decision ups to you. Write is reserved to administrators... If share this standard, would to know your opinion on RCE [CVE-2017-12617](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617) and [CVE-2024-50379](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50379). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[PR] WebResource read/write lock key changed to in lowercase arbitrarily [tomcat]
Chenjp opened a new pull request, #829: URL: https://github.com/apache/tomcat/pull/829 Discarding the file name case sensitivity of resource directory. Detection of a directory case sensitivity is expansive, we have to create file with different upper/lower case name and check result. Based on talk in PR #820 . To avoid vulnerability, we simply treat all lock key as lowercase. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Enhance case sensitivity check [tomcat]
Chenjp commented on PR #820: URL: https://github.com/apache/tomcat/pull/820#issuecomment-2670122793 +1 Since create a case sensitivity verification file is not a good idea, then treats all as insensitive simply, remove the indicator. see PR #829. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
