This is an automated email from the ASF dual-hosted git repository.
smolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 3017a18 KNOX-2382 - Logging token identifier for easier error
debugging (#352)
3017a18 is described below
commit 3017a180becf80d4f49bfeea96dc121c3f428148
Author: Sandor Molnar <[email protected]>
AuthorDate: Tue Jun 23 06:57:20 2020 +0200
KNOX-2382 - Logging token identifier for easier error debugging (#352)
---
.../knox/gateway/provider/federation/jwt/JWTMessages.java | 12 ++++++------
.../provider/federation/jwt/filter/AbstractJWTFilter.java | 8 +++++---
.../federation/jwt/filter/AccessTokenFederationFilter.java | 9 ++++++---
3 files changed, 17 insertions(+), 12 deletions(-)
diff --git
a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/JWTMessages.java
b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/JWTMessages.java
index 01136a5..72696c0 100644
---
a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/JWTMessages.java
+++
b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/JWTMessages.java
@@ -23,14 +23,14 @@ import org.apache.knox.gateway.i18n.messages.StackTrace;
@Messages(logger="org.apache.knox.gateway.provider.federation.jwt")
public interface JWTMessages {
- @Message( level = MessageLevel.WARN, text = "Failed to validate the audience
attribute." )
- void failedToValidateAudience();
+ @Message( level = MessageLevel.WARN, text = "Failed to validate the audience
attribute for token {1} ({2})" )
+ void failedToValidateAudience(String tokenDisplayText, String tokenId);
- @Message( level = MessageLevel.WARN, text = "Failed to verify the token
signature." )
- void failedToVerifyTokenSignature();
+ @Message( level = MessageLevel.WARN, text = "Failed to verify the token
signature of {1} ({2})" )
+ void failedToVerifyTokenSignature(String tokenDisplayText, String tokenId);
- @Message( level = MessageLevel.INFO, text = "Access token has expired; a new
one must be acquired." )
- void tokenHasExpired();
+ @Message( level = MessageLevel.INFO, text = "Access token {1} ({2}) has
expired; a new one must be acquired." )
+ void tokenHasExpired(String tokenDisplayText, String tokenId);
@Message( level = MessageLevel.INFO, text = "The NotBefore check failed." )
void notBeforeCheckFailed();
diff --git
a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
index 33af86f..1aeea20 100644
---
a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
+++
b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
@@ -284,6 +284,8 @@ public abstract class AbstractJWTFilter implements Filter {
}
}
+ final String tokenId = TokenUtils.getTokenId(token);
+ final String displayableToken =
TokenUtils.getTokenDisplayText(token.toString());
if (verified) {
// confirm that issue matches intended target
if (expectedIssuer.equals(token.getIssuer())) {
@@ -304,12 +306,12 @@ public abstract class AbstractJWTFilter implements Filter
{
}
}
else {
- log.failedToValidateAudience();
+ log.failedToValidateAudience(tokenId, displayableToken);
handleValidationError(request, response,
HttpServletResponse.SC_BAD_REQUEST,
"Bad request: missing required token
audience");
}
} else {
- log.tokenHasExpired();
+ log.tokenHasExpired(tokenId, displayableToken);
handleValidationError(request, response,
HttpServletResponse.SC_BAD_REQUEST,
"Bad request: token has expired");
}
@@ -323,7 +325,7 @@ public abstract class AbstractJWTFilter implements Filter {
}
}
else {
- log.failedToVerifyTokenSignature();
+ log.failedToVerifyTokenSignature(tokenId, displayableToken);
handleValidationError(request, response,
HttpServletResponse.SC_UNAUTHORIZED, null);
}
diff --git
a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
index 1bc8b4d..4daae0f 100644
---
a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
+++
b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
@@ -89,6 +89,9 @@ public class AccessTokenFederationFilter implements Filter {
} catch (TokenServiceException e) {
log.unableToVerifyToken(e);
}
+
+ final String tokenId = TokenUtils.getTokenId(token);
+ final String displayableToken =
TokenUtils.getTokenDisplayText(token.toString());
if (verified) {
try {
if (!isExpired(token)) {
@@ -96,11 +99,11 @@ public class AccessTokenFederationFilter implements Filter {
Subject subject = createSubjectFromToken(token);
continueWithEstablishedSecurityContext(subject,
(HttpServletRequest)request, (HttpServletResponse)response, chain);
} else {
- log.failedToValidateAudience();
+ log.failedToValidateAudience(tokenId, displayableToken);
sendUnauthorized(response);
}
} else {
- log.tokenHasExpired();
+ log.tokenHasExpired(tokenId, displayableToken);
sendUnauthorized(response);
}
} catch (UnknownTokenException e) {
@@ -108,7 +111,7 @@ public class AccessTokenFederationFilter implements Filter {
sendUnauthorized(response);
}
} else {
- log.failedToVerifyTokenSignature();
+ log.failedToVerifyTokenSignature(tokenId, displayableToken);
sendUnauthorized(response);
}
} else {
