[jira] [Work logged] (KNOX-2898) Reconsider the usage of sso.unauthenticated.path.list

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2898?focusedWorklogId=864678&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-864678
 ]

ASF GitHub Bot logged work on KNOX-2898:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 09/Jun/23 11:47
            Start Date: 09/Jun/23 11:47
    Worklog Time Spent: 10m 
      Work Description: zeroflag merged PR #756:
URL: https://github.com/apache/knox/pull/756




Issue Time Tracking
-------------------

    Worklog Id:     (was: 864678)
    Time Spent: 20m  (was: 10m)

> Reconsider the usage of sso.unauthenticated.path.list
> -----------------------------------------------------
>
>                 Key: KNOX-2898
>                 URL: https://issues.apache.org/jira/browse/KNOX-2898
>             Project: Apache Knox
>          Issue Type: Task
>            Reporter: Attila Magyar
>            Assignee: Attila Magyar
>            Priority: Major
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> We have a property for URLs which are bypassed by the authentication. E.g.: 
> /favicon.ico can be accessed through knox without authentication.
>            <param>
>               <name>sso.unauthenticated.path.list</name>
>               <value>/favicon.ico;test;unsafepath</value>
>            </param> 
> This works and gives HTTP 200 with the content of the icon.
> $ curl  -kv https://localhost:8443/gateway/cdp-proxy/favicon.ico
> However if a hadoop-jwt is specificed but it is invalid (either it's expired 
> or malformed)
> $ curl --cookie "hadoop-jwt=invalid" -kv 
> https://c3235-node4.coelab.cloudera.com:8443/gateway/cdp-proxy/favicon.ico
> Then the user is going to be redirected with the login page, because the 
> unauthenticated path list is only checked there are no sso cookies.
>     if (ssoCookies.isEmpty()) { // <= we're checking only ssoCookies is empty
>       /* check for unauthenticated paths to bypass */
>       if (requestHasUnauthenticatedPath(request)) {
>         /* This path is configured as an unauthenticated path let the request 
> through */
>         final Subject sub = new Subject();
>         sub.getPrincipals().add(new PrimaryPrincipal("anonymous"));
>         LOGGER.unauthenticatedPathBypass(req.getRequestURI(), 
> unAuthenticatedPaths.toString());
>         continueWithEstablishedSecurityContext(sub, req, res, chain);
>       }
> We might need to move this check out do it regardless if there are sso 
> cookies or not.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)