[
https://issues.apache.org/jira/browse/KNOX-2413?focusedWorklogId=464786&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-464786
]
ASF GitHub Bot logged work on KNOX-2413:
----------------------------------------
Author: ASF GitHub Bot
Created on: 30/Jul/20 23:12
Start Date: 30/Jul/20 23:12
Worklog Time Spent: 10m
Work Description: lmccay commented on a change in pull request #367:
URL: https://github.com/apache/knox/pull/367#discussion_r463320044
##########
File path:
gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java
##########
@@ -116,11 +125,34 @@ public void init(FilterConfig filterConfig) throws
ServletException {
}
super.init(filterConfig);
+
+ final String supportJwt = filterConfig.getInitParameter(SUPPORT_JWT);
+ final boolean jwtSupported = Boolean.parseBoolean(supportJwt == null ?
"false" : supportJwt);
+ if (jwtSupported) {
+ jwtFilter = new JWTFederationFilter();
+ ((GatewayFilter.Holder)filterConfig).removeParamPrefix(JWT_PREFIX);
+ jwtFilter.init(filterConfig);
+ LOG.initializedJwtFilter();
+ }
}
@Override
- protected void doFilter(FilterChain filterChain, HttpServletRequest request,
- HttpServletResponse response) throws IOException,
ServletException {
+ public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
+ if (shouldUseJwtFilter(jwtFilter, filterChain, (HttpServletRequest)
request, (HttpServletResponse) response)) {
Review comment:
It seems like a client with the intent to use JWT that sends an expired
token will end up with a kerberos challenge here. I can imagine argument for
both sides of this but I think that we probably want to allow the JWT
validation failure be reflected in the response rather than falling back to
kerberos.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 464786)
Time Spent: 20m (was: 10m)
> Add JWT support for HadoopAuth provider
> ---------------------------------------
>
> Key: KNOX-2413
> URL: https://issues.apache.org/jira/browse/KNOX-2413
> Project: Apache Knox
> Issue Type: New Feature
> Components: Server
> Affects Versions: 1.5.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 1.5.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> There is a need for adding JWT support in the HadoopAuth security provider as
> follows: if the incoming request has a valid JWT token (as a {{bearer}}
> token) extracted from the {{Authorization}} header the request is then
> processed on behalf of the user represented by the JWT token (using the
> existing JWT federation provider). If there is no _valid_ JWT token, the
> {{HadoopAuth}} authentication filter should do its job as it does today.
> The ability to implement a general composite authentication provider is
> discussed in KNOX-2411, but we agreed that such a provider would need more
> planning and maybe a KIP so that this feature should be targeted in a
> separate JIRA.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)