risdenk commented on a change in pull request #216: KNOX-2149 -
JWTTokenProvider - JWT verification with OIDC provider by invoking JWKS
verification url
URL: https://github.com/apache/knox/pull/216#discussion_r357931909
##########
File path:
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
##########
@@ -75,41 +102,92 @@ public void destroy() {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
String header = ((HttpServletRequest) request).getHeader("Authorization");
+ String header_hive = ((HttpServletRequest)
request).getHeader("HiveAuthToken");
String wireToken;
if (header != null && header.startsWith(BEARER)) {
- // what follows the bearer designator should be the JWT token being used
to request or as an access token
+ // what follows the bearer designator should be the JWT token being used
to
+ // request or as an access token
wireToken = header.substring(BEARER.length());
- }
- else {
+ } else if (header_hive != null) {
+ // what follows the bearer designator should be the JWT token being used
to
+ // request or as an access token in hive beeeline
+ wireToken = header_hive;
+ } else {
// check for query param
wireToken = request.getParameter(paramName);
}
- if (wireToken != null) {
- try {
- JWT token = new JWTToken(wireToken);
- if (validateToken((HttpServletRequest)request,
(HttpServletResponse)response, chain, token)) {
- Subject subject = createSubjectFromToken(token);
- continueWithEstablishedSecurityContext(subject,
(HttpServletRequest)request, (HttpServletResponse)response, chain);
+ if (wireToken != null && !wireToken.isEmpty()) {
+ // validate JWT token with JWT Issuer
+ validateJWTtoken(wireToken, request, response, chain);
+ } else {
+ // no token provided in header
+ ((HttpServletResponse)
response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ }
+
+ }
+
+ /**
+ * @param wireToken
+ * @param request
+ * @param response
+ * @param chain
+ * @throws IOException
+ */
+ private void validateJWTtoken(String wireToken, ServletRequest request,
ServletResponse response, FilterChain chain)
Review comment:
This whole method should not be here and should be combined with
`validateToken` somehow instead of delegating to it.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
