HADOOP-13565. KerberosAuthenticationHandler#authenticate should not rebuild SPN based on client request. Contributed by Xiaoyu Yao.

This commit is contained in:
Xiaoyu Yao 2016-10-13 10:52:13 -07:00
parent b371c56365
commit 9097e2efe4

View File

@ -343,8 +343,6 @@ public AuthenticationToken authenticate(HttpServletRequest request, final HttpSe
authorization = authorization.substring(KerberosAuthenticator.NEGOTIATE.length()).trim(); authorization = authorization.substring(KerberosAuthenticator.NEGOTIATE.length()).trim();
final Base64 base64 = new Base64(0); final Base64 base64 = new Base64(0);
final byte[] clientToken = base64.decode(authorization); final byte[] clientToken = base64.decode(authorization);
final String serverName = InetAddress.getByName(request.getServerName())
.getCanonicalHostName();
try { try {
token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<AuthenticationToken>() { token = Subject.doAs(serverSubject, new PrivilegedExceptionAction<AuthenticationToken>() {
@ -354,10 +352,7 @@ public AuthenticationToken run() throws Exception {
GSSContext gssContext = null; GSSContext gssContext = null;
GSSCredential gssCreds = null; GSSCredential gssCreds = null;
try { try {
gssCreds = gssManager.createCredential( gssCreds = gssManager.createCredential(null,
gssManager.createName(
KerberosUtil.getServicePrincipal("HTTP", serverName),
KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")),
GSSCredential.INDEFINITE_LIFETIME, GSSCredential.INDEFINITE_LIFETIME,
new Oid[]{ new Oid[]{
KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"),