ramackri commented on code in PR #1081:
URL: https://github.com/apache/ranger/pull/1081#discussion_r3599956785
##########
ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java:
##########
@@ -304,6 +311,43 @@ protected boolean validateIssuer(final SignedJWT jwtToken)
{
return valid;
}
+ /**
+ * Build non-sensitive JWT metadata for operational logs.
+ * Never log the raw bearer token; a one-way hash is included for
+ * correlation across log lines.
+ *
+ * @param jwtToken parsed JWT used to extract claim metadata
+ * @param serializedJwt original bearer string, hashed for correlation only
+ * @return safe diagnostic string for log output
+ */
+ protected String safeJwtLogContext(final SignedJWT jwtToken, final String
serializedJwt) {
+ try {
+ JWTClaimsSet claims = jwtToken.getJWTClaimsSet();
+ JWSHeader header = jwtToken.getHeader();
+ String keyId = header != null ? header.getKeyID() : null;
+ List<String> tokenAudiences = claims.getAudience();
+ String audience = tokenAudiences == null ||
tokenAudiences.isEmpty() ? null : StringUtils.join(tokenAudiences, ",");
+
+ return String.format("subject=%s, audience=%s, issuer=%s,
keyId=%s, jwtId=%s, tokenHash=%s", claims.getSubject(), audience,
claims.getIssuer(), keyId, claims.getJWTID(), sha256Hex(serializedJwt));
+ } catch (ParseException pe) {
+ return "claims_unparseable";
+ }
+ }
+
+ private static String sha256Hex(final String value) {
Review Comment:
Sure i will remove it
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]