[jira] [Work logged] (KNOX-2794) Add cokkie auth support in JWT federation provider

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2794?focusedWorklogId=803508&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-803508
 ]

ASF GitHub Bot logged work on KNOX-2794:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 25/Aug/22 08:28
            Start Date: 25/Aug/22 08:28
    Worklog Time Spent: 10m 
      Work Description: zeroflag commented on code in PR #623:
URL: https://github.com/apache/knox/pull/623#discussion_r954662416


##########
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java:
##########
@@ -229,6 +263,36 @@ private Pair<TokenType, String> 
parseFromHTTPBasicCredentials(final String heade
       return parsed;
   }
 
+  /*
+   * Attempts to authenticate using session cookies.
+   */
+  private boolean authenticateWithCookies(HttpServletRequest request, 
HttpServletResponse response, FilterChain chain)
+      throws NoValidCookiesException, ServletException, IOException {
+    final List<Cookie> relevantCookies = 
CookieUtils.getCookiesForName(request, cookieName);
+    for (Cookie ssoCookie : relevantCookies) {
+      try {
+        final JWT token = new JWTToken(ssoCookie.getValue());
+        if (validateToken(request, response, chain, token)) {
+          final Subject subject = createSubjectFromToken(token);
+          continueWithEstablishedSecurityContext(subject, request, response, 
chain);
+          // we found a valid cookie we don't need to keep checking anymore
+          return true;
+        }
+      } catch (ParseException | UnknownTokenException ignore) {
+        // Ignore the error since cookie was invalid

Review Comment:
   We might need to consider logging this but otherwise LGTM





Issue Time Tracking
-------------------

    Worklog Id:     (was: 803508)
    Time Spent: 0.5h  (was: 20m)

> Add cokkie auth support in JWT federation provider
> --------------------------------------------------
>
>                 Key: KNOX-2794
>                 URL: https://issues.apache.org/jira/browse/KNOX-2794
>             Project: Apache Knox
>          Issue Type: Sub-task
>          Components: Server
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 2.0.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Knox has authentication federation providers to check either a cookie 
> ({{{}SSOCookieFederationFilter{}}}) or an HTTP header 
> ({{{}JWTFederationFilter{}}}) for a JWT. However, it cannot do both in the 
> same filter currently.
> We need to enhance the {{JWTFederationFilter}} to check first for a valid JWT 
> in the {{hadoop-jwt}} cookie (cookie name should be configurable) or keep 
> doing what it does today, use the {{Authorization}} HTTP header.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)