Don't overwrite valid Principal from password callback will null

apache · Sep 19, 2024 · db91aa4 · db91aa4
1 parent 50dddaa
commit db91aa4
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/java/org/apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java b/java/org/apache/catalina/authenticator/jaspic/CallbackHandlerImpl.java
@@ -69,7 +69,9 @@ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallback
                 if (callback instanceof CallerPrincipalCallback) {
                     CallerPrincipalCallback cpc = (CallerPrincipalCallback) callback;
                     name = cpc.getName();
-                    principal = cpc.getPrincipal();
+                    if (cpc.getPrincipal() != null) {
+                        principal = cpc.getPrincipal();
+                    }
                     subject = cpc.getSubject();
                 } else if (callback instanceof GroupPrincipalCallback) {
                     GroupPrincipalCallback gpc = (GroupPrincipalCallback) callback;

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -132,6 +132,12 @@
         associated with persisting the Jakarta Authentication provider
         configuration. (markt)
       </fix>
+      <fix>
+        When processing Jakarta Authentication callbacks, don't overwrite a
+        Principal obtained from the <code>PasswordValidationCallback</code> with
+        <code>null</code> if the <code>CallerPrincipalCallback</code> does not
+        provide a Principal. (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>