Spring Security
  1. Spring Security
  2. SEC-1239

Special characters in JAAS config file location

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.5
    • Fix Version/s: 3.0.0 RC1
    • Component/s: Core
    • Labels:
      None

      Description

      Given a JaasAuthenticationProvider declared like this:
      <bean id="krb5AuthenticationProvider"
      class="org.springframework.security.providers.jaas.JaasAuthenticationProvider">
      <property name="loginConfig" value="classpath:/jaas.config"/>
      <property name="loginContextName" value="Krb5LoginModule"/>
      <property name="callbackHandlers">
      <list>
      <bean class="org.springframework.security.providers.jaas.JaasNameCallbackHandler"/>
      <bean class="org.springframework.security.providers.jaas.PasswordCallbackHandler"/>
      </list>
      </property>
      </bean>

      I get the folowing exception:
      java.lang.SecurityException: D:\Tomcat%205.5.23\webapps\myapp\WEB-INF\classes\jaas.config (The system cannot find the path specified)

      The problem stems from

      • the fact that there is a special character (%20 is "space") in my Tomcat location.
      • the way Resouce is converted to String in method private void configureJaasUsingLoop():
        String loginConfigUrl = loginConfig.getURL().toString();

        Activity

        Hide
        Luke Taylor added a comment -

        I've converted the Resource to a File before calling getURL() on it. File.get().URL.toString() is encoded differently from the one obtained from Resource.getURL().toString(). More importantly it is compatible with the current behaviour of com.sun.security.auth.login.ConfigFile which just substitutes "/" characters in the URL for the file separator character, before attempting to use it to load the file. I think the problem essentially lies with the behaviour of ConfigFile, but this seems to fix it.

        Show
        Luke Taylor added a comment - I've converted the Resource to a File before calling getURL() on it. File.get().URL.toString() is encoded differently from the one obtained from Resource.getURL().toString(). More importantly it is compatible with the current behaviour of com.sun.security.auth.login.ConfigFile which just substitutes "/" characters in the URL for the file separator character, before attempting to use it to load the file. I think the problem essentially lies with the behaviour of ConfigFile, but this seems to fix it.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Gérald Quintana
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: