[ https://issues.apache.org/jira/browse/KNOX-2898?focusedWorklogId=864678&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-864678 ]
ASF GitHub Bot logged work on KNOX-2898: ---------------------------------------- Author: ASF GitHub Bot Created on: 09/Jun/23 11:47 Start Date: 09/Jun/23 11:47 Worklog Time Spent: 10m Work Description: zeroflag merged PR #756: URL: https://github.com/apache/knox/pull/756 Issue Time Tracking ------------------- Worklog Id: (was: 864678) Time Spent: 20m (was: 10m) > Reconsider the usage of sso.unauthenticated.path.list > ----------------------------------------------------- > > Key: KNOX-2898 > URL: https://issues.apache.org/jira/browse/KNOX-2898 > Project: Apache Knox > Issue Type: Task > Reporter: Attila Magyar > Assignee: Attila Magyar > Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > We have a property for URLs which are bypassed by the authentication. E.g.: > /favicon.ico can be accessed through knox without authentication. > <param> > <name>sso.unauthenticated.path.list</name> > <value>/favicon.ico;test;unsafepath</value> > </param> > This works and gives HTTP 200 with the content of the icon. > $ curl -kv https://localhost:8443/gateway/cdp-proxy/favicon.ico > However if a hadoop-jwt is specificed but it is invalid (either it's expired > or malformed) > $ curl --cookie "hadoop-jwt=invalid" -kv > https://c3235-node4.coelab.cloudera.com:8443/gateway/cdp-proxy/favicon.ico > Then the user is going to be redirected with the login page, because the > unauthenticated path list is only checked there are no sso cookies. > if (ssoCookies.isEmpty()) { // <= we're checking only ssoCookies is empty > /* check for unauthenticated paths to bypass */ > if (requestHasUnauthenticatedPath(request)) { > /* This path is configured as an unauthenticated path let the request > through */ > final Subject sub = new Subject(); > sub.getPrincipals().add(new PrimaryPrincipal("anonymous")); > LOGGER.unauthenticatedPathBypass(req.getRequestURI(), > unAuthenticatedPaths.toString()); > continueWithEstablishedSecurityContext(sub, req, res, chain); > } > We might need to move this check out do it regardless if there are sso > cookies or not. -- This message was sent by Atlassian Jira (v8.20.10#820010)