From 0bcf09ab3837a8e9fcbc949d20e823baea86960d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20Pin=C4=8Duk?= <alexander.v.pinchuk@gmail.com>
Date: Sun, 26 Jan 2025 23:19:20 +0300
Subject: [PATCH] Improve HTTP admin login flow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Alexander Pinčuk <alexander.v.pinchuk@gmail.com>
---
 .../admin/util/GenericAdminAuthenticator.java       | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/nucleus/admin/util/src/main/java/com/sun/enterprise/admin/util/GenericAdminAuthenticator.java b/nucleus/admin/util/src/main/java/com/sun/enterprise/admin/util/GenericAdminAuthenticator.java
index d59f7ed9e4a..cb89f5cdec5 100644
--- a/nucleus/admin/util/src/main/java/com/sun/enterprise/admin/util/GenericAdminAuthenticator.java
+++ b/nucleus/admin/util/src/main/java/com/sun/enterprise/admin/util/GenericAdminAuthenticator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023 Contributors to the Eclipse Foundation
+ * Copyright (c) 2023, 2025 Contributors to the Eclipse Foundation.
  * Copyright (c) 1997, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -225,21 +225,24 @@ private boolean ensureGroupMembership(String user, String realm) {
 
     private Subject authenticate(final Request req, final String alternateHostname) throws IOException, LoginException {
         final AdminCallbackHandler cbh = new AdminCallbackHandler(habitat, req, alternateHostname, getDefaultAdminUser(), localPassword);
-        Subject s;
         try {
-            s = authService.login(cbh, null);
             /*
              * Enforce remote access restrictions, if any.
              */
             rejectRemoteAdminIfDisabled(cbh);
-            consumeTokenIfPresent(req);
+
+            Subject subject = consumeTokenIfPresent(req);
+            if (subject == null) {
+                subject = authService.login(cbh, null);
+            }
+
             if (ADMSEC_LOGGER.isLoggable(Level.FINE)) {
                 ADMSEC_LOGGER.log(Level.FINE, "*** Login worked\n  user={0}\n  dn={1}\n  tkn={2}\n  admInd={3}\n  host={4}\n",
                         new Object[] { cbh.pw().getUserName(), cbh.clientPrincipal() == null ? "null" : cbh.clientPrincipal().getName(),
                                 cbh.tkn(), cbh.adminIndicator(), cbh.remoteHost() });
             }
 
-            return s;
+            return subject;
         } catch (RemoteAdminAccessException ex) {
             /*
              * Rethrow RemoteAdminAccessException explicitly to avoid it being