[GitHub] [knox] nxverma commented on a change in pull request #216: KNOX-2149 - JWTTokenProvider - JWT verification with OIDC provider by invoking JWKS verification url

Sat, 14 Dec 2019 13:03:04 -0800 

nxverma commented on a change in pull request #216: KNOX-2149 - 
JWTTokenProvider - JWT verification with OIDC provider by invoking JWKS 
verification url
URL: https://github.com/apache/knox/pull/216#discussion_r357938406
 
 

 ##########
 File path: 
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java
 ##########
 @@ -75,41 +102,92 @@ public void destroy() {
   public void doFilter(ServletRequest request, ServletResponse response, 
FilterChain chain)
       throws IOException, ServletException {
     String header = ((HttpServletRequest) request).getHeader("Authorization");
+    String header_hive = ((HttpServletRequest) 
request).getHeader("HiveAuthToken");
     String wireToken;
     if (header != null && header.startsWith(BEARER)) {
-      // what follows the bearer designator should be the JWT token being used 
to request or as an access token
+      // what follows the bearer designator should be the JWT token being used 
to
+      // request or as an access token
       wireToken = header.substring(BEARER.length());
-    }
-    else {
+    } else if (header_hive != null) {
+      // what follows the bearer designator should be the JWT token being used 
to
+      // request or as an access token in hive beeeline
+      wireToken = header_hive;
+    } else {
       // check for query param
       wireToken = request.getParameter(paramName);
     }
 
-    if (wireToken != null) {
-      try {
-        JWT token = new JWTToken(wireToken);
-        if (validateToken((HttpServletRequest)request, 
(HttpServletResponse)response, chain, token)) {
-          Subject subject = createSubjectFromToken(token);
-          continueWithEstablishedSecurityContext(subject, 
(HttpServletRequest)request, (HttpServletResponse)response, chain);
+    if (wireToken != null && !wireToken.isEmpty()) {
+      // validate JWT token with JWT Issuer
+      validateJWTtoken(wireToken, request, response, chain);
+    } else {
+      // no token provided in header
+      ((HttpServletResponse) 
response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
+    }
+
+  }
+
+  /**
+   * @param wireToken
+   * @param request
+   * @param response
+   * @param chain
+   * @throws IOException
+   */
+  private void validateJWTtoken(String wireToken, ServletRequest request, 
ServletResponse response, FilterChain chain)
 
 Review comment:
   Moved all JWT Token validation code in ValidToken method

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to