[
https://issues.apache.org/jira/browse/KNOX-2898?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Attila Magyar updated KNOX-2898:
--------------------------------
Description:
We have a property for URLs which are bypassed by the authentication. E.g.:
/favicon.ico can be accessed through knox without authentication.
<param>
<name>sso.unauthenticated.path.list</name>
<value>/favicon.ico;test;unsafepath</value>
</param>
This works and gives HTTP 200 with the content of the icon.
$ curl -kv https://localhost:8443/gateway/cdp-proxy/favicon.ico
However if a hadoop-jwt is specificed but it is invalid (either it's expired or
malformed)
$ curl --cookie "hadoop-jwt=invalid" -kv
https://c3235-node4.coelab.cloudera.com:8443/gateway/cdp-proxy/favicon.ico
Then the user is going to be redirected with the login page, because the
unauthenticated path list is only checked there are no sso cookies.
if (ssoCookies.isEmpty()) { // <= we're checking only ssoCookies is empty
/* check for unauthenticated paths to bypass */
if (requestHasUnauthenticatedPath(request)) {
/* This path is configured as an unauthenticated path let the request
through */
final Subject sub = new Subject();
sub.getPrincipals().add(new PrimaryPrincipal("anonymous"));
LOGGER.unauthenticatedPathBypass(req.getRequestURI(),
unAuthenticatedPaths.toString());
continueWithEstablishedSecurityContext(sub, req, res, chain);
}
We might need to move this check out do it regardless if there are sso cookies
or not.
was:
We have a property for URLs which are bypassed by the authentication. E.g.:
/favicon.ico can be accessed through knox without authentication.
<param>
<name>sso.unauthenticated.path.list</name>
<value>/favicon.ico;test;unsafepath</value>
</param>
This works and gives HTTP 200 with the content of the icon.
$ curl -kv https://localhost:8443/gateway/cdp-proxy/favicon.ico
However if a hadoop-jwt is specificed which is invalid (either it's expired or
malformed)
$ curl --cookie "hadoop-jwt=invalid" -kv
https://c3235-node4.coelab.cloudera.com:8443/gateway/cdp-proxy/favicon.ico
Then the user is going to be redirected with the login page, because the
unauthenticated path list is only checked there are no sso cookies.
if (ssoCookies.isEmpty()) { // <= we're checking only ssoCookies is empty
/* check for unauthenticated paths to bypass */
if (requestHasUnauthenticatedPath(request)) {
/* This path is configured as an unauthenticated path let the request
through */
final Subject sub = new Subject();
sub.getPrincipals().add(new PrimaryPrincipal("anonymous"));
LOGGER.unauthenticatedPathBypass(req.getRequestURI(),
unAuthenticatedPaths.toString());
continueWithEstablishedSecurityContext(sub, req, res, chain);
}
We might need to move this check out do it regardless if there are sso cookies
or not.
> Reconsier the usage of sso.unauthenticated.path.list
> ----------------------------------------------------
>
> Key: KNOX-2898
> URL: https://issues.apache.org/jira/browse/KNOX-2898
> Project: Apache Knox
> Issue Type: Task
> Reporter: Attila Magyar
> Assignee: Attila Magyar
> Priority: Major
>
> We have a property for URLs which are bypassed by the authentication. E.g.:
> /favicon.ico can be accessed through knox without authentication.
> <param>
> <name>sso.unauthenticated.path.list</name>
> <value>/favicon.ico;test;unsafepath</value>
> </param>
> This works and gives HTTP 200 with the content of the icon.
> $ curl -kv https://localhost:8443/gateway/cdp-proxy/favicon.ico
> However if a hadoop-jwt is specificed but it is invalid (either it's expired
> or malformed)
> $ curl --cookie "hadoop-jwt=invalid" -kv
> https://c3235-node4.coelab.cloudera.com:8443/gateway/cdp-proxy/favicon.ico
> Then the user is going to be redirected with the login page, because the
> unauthenticated path list is only checked there are no sso cookies.
> if (ssoCookies.isEmpty()) { // <= we're checking only ssoCookies is empty
> /* check for unauthenticated paths to bypass */
> if (requestHasUnauthenticatedPath(request)) {
> /* This path is configured as an unauthenticated path let the request
> through */
> final Subject sub = new Subject();
> sub.getPrincipals().add(new PrimaryPrincipal("anonymous"));
> LOGGER.unauthenticatedPathBypass(req.getRequestURI(),
> unAuthenticatedPaths.toString());
> continueWithEstablishedSecurityContext(sub, req, res, chain);
> }
> We might need to move this check out do it regardless if there are sso
> cookies or not.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
