[jira] [Commented] (HADOOP-10301) AuthenticationFilter should return Forbidden for failed authentication

Thu, 06 Feb 2014 11:00:34 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13893657#comment-13893657
 ] 

Daryn Sharp commented on HADOOP-10301:
--------------------------------------

Sigh.  Nothing is ever as easy as it seems.

I first was going to specifically check if response.status=401 and 
!response.containsHeader(WWW-Authenticate).  HttpResponse appears to let you 
set the status, but not query it...  So I fell back to checking errCode=401 and 
!response.containsHeader(WWW-Authenticate).  Now all the mocked unit tests fail 
because they don't persist any state from the response.setHeader, so 
containsHeader always returns false. :|

So, I can:
# Try to change the unit tests and hope other projects' tests don't break.
# Call it a day and unblock 2.3 because I can't find an existing code path that 
will cause an illegal 401.

If you agree with #2, we really should file another jira to cleanup the filter 
+ handler interactions.  Among other things, the auth cookie should exclusively 
be a feature of the auth filter.  Auth handlers shouldn't know anything about 
cookies.  That should make the logic much simpler and easier to enforce proper 
auth handler behavior, but it's too much for me to do right now.

> AuthenticationFilter should return Forbidden for failed authentication
> ----------------------------------------------------------------------
>
>                 Key: HADOOP-10301
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10301
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HADOOP-10301.branch-23.patch, 
> HADOOP-10301.branch-23.patch, HADOOP-10301.patch, HADOOP-10301.patch
>
>
> The hadoop-auth AuthenticationFilter returns a 401 Unauthorized without a 
> WWW-Authenticate headers.  The is illegal per the HTTP RPC and causes a NPE 
> in the HttpUrlConnection.
> This is half of a fix that affects webhdfs.  See HDFS-4564.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to