[nifi] branch main updated: NIFI-10321 Send Session Expired message for Expired JWT errors

Wed, 24 Aug 2022 09:42:23 -0700 

This is an automated email from the ASF dual-hosted git repository.

thenatog pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new 777238eb32 NIFI-10321 Send Session Expired message for Expired JWT 
errors
777238eb32 is described below

commit 777238eb323db75bce0285d89add2f6bd87eddef
Author: exceptionfactory <[email protected]>
AuthorDate: Tue Aug 23 16:18:09 2022 -0500

    NIFI-10321 Send Session Expired message for Expired JWT errors
    
    Signed-off-by: Nathan Gough <[email protected]>
    
    This closes #6332.
---
 .../security/StandardAuthenticationEntryPoint.java | 23 +++++++++++------
 .../StandardAuthenticationEntryPointTest.java      | 29 ++++++++++++++++++----
 2 files changed, 39 insertions(+), 13 deletions(-)

diff --git 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java
 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java
index ebf2da74d1..561652de8f 100644
--- 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java
+++ 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/StandardAuthenticationEntryPoint.java
@@ -25,8 +25,8 @@ import 
org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import 
org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
 import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.util.StringUtils;
 
-import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
@@ -45,6 +45,10 @@ public class StandardAuthenticationEntryPoint implements 
AuthenticationEntryPoin
 
     protected static final String UNAUTHORIZED = "Unauthorized";
 
+    protected static final String EXPIRED_JWT = "Expired JWT";
+
+    protected static final String SESSION_EXPIRED = "Session Expired";
+
     private static final String ROOT_PATH = "/";
 
     private static final ApplicationCookieService applicationCookieService = 
new StandardApplicationCookieService();
@@ -62,32 +66,35 @@ public class StandardAuthenticationEntryPoint implements 
AuthenticationEntryPoin
      * @param response HTTP Servlet Response
      * @param exception Authentication Exception
      * @throws IOException Thrown on response processing failures
-     * @throws ServletException Thrown on response processing failures
      */
     @Override
-    public void commence(final HttpServletRequest request, final 
HttpServletResponse response, final AuthenticationException exception) throws 
IOException, ServletException {
+    public void commence(final HttpServletRequest request, final 
HttpServletResponse response, final AuthenticationException exception) throws 
IOException {
         if (exception instanceof OAuth2AuthenticationException) {
             bearerTokenAuthenticationEntryPoint.commence(request, response, 
exception);
         } else {
             response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
         }
         removeAuthorizationBearerCookie(request, response);
-        sendErrorMessage(response);
+        sendErrorMessage(response, exception);
     }
 
-    private void sendErrorMessage(final HttpServletResponse response) throws 
IOException {
+    private void sendErrorMessage(final HttpServletResponse response, final 
AuthenticationException exception) throws IOException {
         response.setContentType(MediaType.TEXT_PLAIN_VALUE);
-        final String message = getErrorMessage(response);
+        final String message = getErrorMessage(response, exception);
         try (final PrintWriter writer = response.getWriter()) {
             writer.print(message);
         }
     }
 
-    private String getErrorMessage(final HttpServletResponse response) {
+    private String getErrorMessage(final HttpServletResponse response, final 
AuthenticationException exception) {
         // Use WWW-Authenticate Header from 
BearerTokenAuthenticationEntryPoint when found
         final String authenticateHeader = 
response.getHeader(AUTHENTICATE_HEADER);
         final String errorMessage = authenticateHeader == null ? UNAUTHORIZED 
: authenticateHeader;
-        return errorMessage.replaceFirst(BEARER_HEADER, UNAUTHORIZED);
+        final String formattedErrorMessage = 
errorMessage.replaceFirst(BEARER_HEADER, UNAUTHORIZED);
+
+        // Use simplified message for Expired JWT exceptions
+        final String exceptionMessage = exception.getMessage();
+        return StringUtils.endsWithIgnoreCase(exceptionMessage, EXPIRED_JWT) ? 
SESSION_EXPIRED : formattedErrorMessage;
     }
 
     private void removeAuthorizationBearerCookie(final HttpServletRequest 
request, final HttpServletResponse response) {
diff --git 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/StandardAuthenticationEntryPointTest.java
 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/StandardAuthenticationEntryPointTest.java
index 8dccdfa966..9f41749bc6 100644
--- 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/StandardAuthenticationEntryPointTest.java
+++ 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/StandardAuthenticationEntryPointTest.java
@@ -25,10 +25,10 @@ import org.springframework.mock.web.MockHttpServletResponse;
 import 
org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import 
org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
 import 
org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
 
 import javax.servlet.ServletContext;
-import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
@@ -68,7 +68,7 @@ class StandardAuthenticationEntryPointTest {
     }
 
     @Test
-    void testCommenceAuthenticationServiceException() throws ServletException, 
IOException {
+    void testCommenceAuthenticationServiceException() throws IOException {
         final AuthenticationException exception = new 
AuthenticationServiceException(FAILED);
 
         authenticationEntryPoint.commence(request, response, exception);
@@ -85,7 +85,7 @@ class StandardAuthenticationEntryPointTest {
     }
 
     @Test
-    void testCommenceOAuth2AuthenticationException() throws ServletException, 
IOException {
+    void testCommenceOAuth2AuthenticationException() throws IOException {
         final OAuth2AuthenticationException exception = new 
OAuth2AuthenticationException(FAILED);
 
         authenticationEntryPoint.commence(request, response, exception);
@@ -105,7 +105,26 @@ class StandardAuthenticationEntryPointTest {
     }
 
     @Test
-    void testCommenceRemoveCookie() throws ServletException, IOException {
+    void testCommenceInvalidBearerTokenExceptionExpired() throws IOException {
+        final InvalidBearerTokenException exception = new 
InvalidBearerTokenException(StandardAuthenticationEntryPoint.EXPIRED_JWT);
+
+        authenticationEntryPoint.commence(request, response, exception);
+
+        assertEquals(HttpServletResponse.SC_UNAUTHORIZED, 
response.getStatus());
+        final String authenticateHeader = 
response.getHeader(StandardAuthenticationEntryPoint.AUTHENTICATE_HEADER);
+        assertNotNull(authenticateHeader);
+        
assertTrue(authenticateHeader.startsWith(StandardAuthenticationEntryPoint.BEARER_HEADER),
 "Bearer header not found");
+        
assertTrue(authenticateHeader.contains(StandardAuthenticationEntryPoint.EXPIRED_JWT),
 "Header error message not found");
+
+        final Cookie cookie = 
response.getCookie(ApplicationCookieName.AUTHORIZATION_BEARER.getCookieName());
+        assertNull(cookie);
+
+        final String content = response.getContentAsString();
+        assertEquals(StandardAuthenticationEntryPoint.SESSION_EXPIRED, 
content);
+    }
+
+    @Test
+    void testCommenceRemoveCookie() throws IOException {
         final AuthenticationException exception = new 
AuthenticationServiceException(FAILED);
 
         final Cookie cookie = new 
Cookie(ApplicationCookieName.AUTHORIZATION_BEARER.getCookieName(), 
BEARER_TOKEN);
@@ -117,7 +136,7 @@ class StandardAuthenticationEntryPointTest {
     }
 
     @Test
-    void testCommenceRemoveCookieForwardedPath() throws ServletException, 
IOException {
+    void testCommenceRemoveCookieForwardedPath() throws IOException {
         final AuthenticationException exception = new 
AuthenticationServiceException(FAILED);
 
         final ServletContext servletContext = request.getServletContext();

Reply via email to