lmccay commented on a change in pull request #367:
URL: https://github.com/apache/knox/pull/367#discussion_r463320044
##########
File path:
gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java
##########
@@ -116,11 +125,34 @@ public void init(FilterConfig filterConfig) throws
ServletException {
}
super.init(filterConfig);
+
+ final String supportJwt = filterConfig.getInitParameter(SUPPORT_JWT);
+ final boolean jwtSupported = Boolean.parseBoolean(supportJwt == null ?
"false" : supportJwt);
+ if (jwtSupported) {
+ jwtFilter = new JWTFederationFilter();
+ ((GatewayFilter.Holder)filterConfig).removeParamPrefix(JWT_PREFIX);
+ jwtFilter.init(filterConfig);
+ LOG.initializedJwtFilter();
+ }
}
@Override
- protected void doFilter(FilterChain filterChain, HttpServletRequest request,
- HttpServletResponse response) throws IOException,
ServletException {
+ public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
+ if (shouldUseJwtFilter(jwtFilter, filterChain, (HttpServletRequest)
request, (HttpServletResponse) response)) {
Review comment:
It seems like a client with the intent to use JWT that sends an expired
token will end up with a kerberos challenge here. I can imagine argument for
both sides of this but I think that we probably want to allow the JWT
validation failure be reflected in the response rather than falling back to
kerberos.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]