This is an automated email from the ASF dual-hosted git repository.
janhoy pushed a commit to branch branch_9_0
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/branch_9_0 by this push:
new 4608c5d SOLR-16090 Better error message when JWT auth
SIGNATURE_INVALID during token parsing (#737)
4608c5d is described below
commit 4608c5d6bb66a614b3e1bf2a7a5c47abf97e13a5
Author: Jan Høydahl <[email protected]>
AuthorDate: Fri Mar 11 13:11:43 2022 +0100
SOLR-16090 Better error message when JWT auth SIGNATURE_INVALID during
token parsing (#737)
(cherry picked from commit cf27e77daf3bd425cbd9c1b8ee7607357432a3be)
---
solr/CHANGES.txt | 2 ++
.../apache/solr/security/jwt/JWTAuthPlugin.java | 37 ++++++++++++----------
2 files changed, 23 insertions(+), 16 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 82d71e2..90fd96c 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -629,6 +629,8 @@ Bug Fixes
* SOLR-15983: Fix ClassCastException in UpdateLog$LogReplayer.doReplay.
(Christine Poerschke, David Smiley)
+* SOLR-16090: Better error message when JWT auth SIGNATURE_INVALID during
token parsing (janhoy)
+
* SOLR-15333: Reduced spurious warn logging by
AbstractSpatialPrefixTreeFieldType field properties (Steffen Moldenhauer, David
Smiley, Mike Drob)
* SOLR-16009: Force Calcite's Rel simplify config flag to false to avoid
erasing filters that are meaningful to Solr,
diff --git
a/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
b/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
index 83fcb48..0b46806 100644
---
a/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
+++
b/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
@@ -405,24 +405,29 @@ public class JWTAuthPlugin extends AuthenticationPlugin
String exceptionMessage =
authResponse.getJwtException() != null ?
authResponse.getJwtException().getMessage() : "";
if (AuthCode.SIGNATURE_INVALID.equals(authResponse.getAuthCode())) {
- String issuer = jwtConsumer.processToClaims(header).getIssuer();
- if (issuer != null) {
- Optional<JWTIssuerConfig> issuerConfig =
- issuerConfigs.stream().filter(ic ->
issuer.equals(ic.getIss())).findFirst();
- if (issuerConfig.isPresent() && issuerConfig.get().usesHttpsJwk()) {
- log.info(
- "Signature validation failed for issuer {}. Refreshing JWKs from
IdP before trying again: {}",
- issuer,
- exceptionMessage);
- for (HttpsJwks httpsJwks : issuerConfig.get().getHttpsJwks()) {
- httpsJwks.refresh();
+ String jwt = parseAuthorizationHeader(header);
+ try {
+ String issuer = jwtConsumer.processToClaims(jwt).getIssuer();
+ if (issuer != null) {
+ Optional<JWTIssuerConfig> issuerConfig =
+ issuerConfigs.stream().filter(ic ->
issuer.equals(ic.getIss())).findFirst();
+ if (issuerConfig.isPresent() && issuerConfig.get().usesHttpsJwk()) {
+ log.info(
+ "Signature validation failed for issuer {}. Refreshing JWKs
from IdP before trying again: {}",
+ issuer,
+ exceptionMessage);
+ for (HttpsJwks httpsJwks : issuerConfig.get().getHttpsJwks()) {
+ httpsJwks.refresh();
+ }
+ authResponse = authenticate(header); // Retry
+ exceptionMessage =
+ authResponse.getJwtException() != null
+ ? authResponse.getJwtException().getMessage()
+ : "";
}
- authResponse = authenticate(header); // Retry
- exceptionMessage =
- authResponse.getJwtException() != null
- ? authResponse.getJwtException().getMessage()
- : "";
}
+ } catch (InvalidJwtException ex) {
+ /* ignored */
}
}
