Menu
▾
▴
#510 JaasSecurityManager and caching of X509Certificate chains
I have a Login module that I use with SSL client
certificates. The log from the module suggests that it is
invoked by the JaasSecurityManager on every client call,
even when the client (and principal) is previously
authenticated, and the principal is in the cache. Other
username/password based modules do not show this
behavior.
Below is a patch to JaasSecurityManager that compares
arrarys of X509Certificates in the validateCache method
(don't know if this form causes some odd linebreaks):
---JaasSecurityManager.java 2004-06-04
02:31:50.000000000 +0200
+++ JaasSecurityManager.java 2004-08-04
14:26:58.000000000 +0200
@@ -10,6 +10,7 @@
import java.lang.reflect.UndeclaredThrowableException;
import java.security.Principal;
import java.security.acl.Group;
+import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashSet;
@@ -515,6 +516,12 @@
byte[] a2 = (byte[]) credential;
isValid = Arrays.equals(a1, a2);
}
+ else if ( subjectCredential instanceof
X509Certificate[] )
+ {
+ X509Certificate[] a1 = (X509Certificate[])
subjectCredential;
+ X509Certificate[] a2 = (X509Certificate[])
credential;
+ isValid = Arrays.equals(a1, a2);
+ }
else
{
isValid = subjectCredential.equals(credential);
Logged In: YES
user_id=1028948
I attach a file with the patch, as the linebreaks cam out
wrong in the form.
Patch to JaasSecurityManager.java
Logged In: YES
user_id=175228
A more generic approach would be:
else if( subjectCredential.getClass().isArray() )
{
Object[] a1 = (Object[]) subjectCredential;
Object[] a2 = (Object[]) credential;
isValid = Arrays.equals(a1, a2);
}
Can you test that out.
Logged In: YES
user_id=1028948
Thanks. Yes that works correctly with X509Certificate arrays.
Logged In: YES
user_id=175228
The generalized Object[] patch has been applied for 3.2.6RC2+