knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject git commit: KNOX-220 Fix JWT Expiration Processing
Date Sat, 30 Nov 2013 18:07:44 GMT
Updated Branches:
  refs/heads/master 40abc86cd -> b5f302065


KNOX-220 Fix JWT Expiration Processing

Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/b5f30206
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/b5f30206
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/b5f30206

Branch: refs/heads/master
Commit: b5f3020659fe082ae7b7ad63556ef468e764de4a
Parents: 40abc86
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Sat Nov 30 13:07:28 2013 -0500
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Sat Nov 30 13:07:28 2013 -0500

----------------------------------------------------------------------
 .../provider/federation/jwt/JWTMessages.java    |  6 +++
 .../jwt/filter/AccessTokenFederationFilter.java | 49 +++++++++++---------
 .../filter/JWTAccessTokenAssertionFilter.java   |  2 +-
 .../impl/DefaultTokenAuthorityService.java      | 13 +++++-
 .../security/token/JWTokenAuthority.java        | 11 +++--
 5 files changed, 52 insertions(+), 29 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/b5f30206/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
index 1f3b302..7438a25 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/JWTMessages.java
@@ -28,4 +28,10 @@ public interface JWTMessages {
 
   @Message( level = MessageLevel.INFO, text = "Failed to verify the token signature." )
   void failedToVerifyTokenSignature();
+
+  @Message( level = MessageLevel.INFO, text = "Access token has expired; a new one must be
acquired." )
+  void tokenHasExpired();
+
+  @Message( level = MessageLevel.INFO, text = "Expected Bearer token is missing." )
+  void missingBearerToken();
 }

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/b5f30206/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
index e2856be..a4ac454 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java
@@ -36,6 +36,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
 import org.apache.hadoop.gateway.provider.federation.jwt.JWTMessages;
+import org.apache.hadoop.gateway.security.PrimaryPrincipal;
 import org.apache.hadoop.gateway.services.GatewayServices;
 import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority;
 import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
@@ -64,32 +65,41 @@ public class AccessTokenFederationFilter implements Filter {
       JWTToken token = JWTToken.parseToken(wireToken);
       boolean verified = authority.verifyToken(token);
       if (verified) {
-        // TODO: validate expiration
-        // TODO: confirm that audience matches intended target
-        if (((HttpServletRequest) request).getRequestURL().indexOf(token.getAudience().toLowerCase())
!= -1) {
-          // TODO: verify that the user requesting access to the service/resource is authorized
for it - need scopes?
-          Subject subject = createSubjectFromToken(token);
-          continueWithEstablishedSecurityContext(subject, (HttpServletRequest)request, (HttpServletResponse)response,
chain);
+        long expires = Long.parseLong(token.getExpires());
+        if (expires > System.currentTimeMillis()) {
+          if (((HttpServletRequest) request).getRequestURL().indexOf(token.getAudience().toLowerCase())
!= -1) {
+            Subject subject = createSubjectFromToken(token);
+            continueWithEstablishedSecurityContext(subject, (HttpServletRequest)request,
(HttpServletResponse)response, chain);
+          }
+          else {
+            log.failedToValidateAudience();
+            sendUnauthorized(response);
+            return; // break the chain
+          }
         }
         else {
-          log.failedToValidateAudience();
-          ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
-          return; //break filter chain
+          log.tokenHasExpired();
+          sendUnauthorized(response);
+          return; // break the chain
         }
       }
       else {
         log.failedToVerifyTokenSignature();
-        ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
-        return; //break filter chain
+        sendUnauthorized(response);
+        return; // break the chain
       }
     }
     else {
-      // no token provided in header
-      // TODO: may have to check cookie and url as well before sending error
-      ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
-      return; //break filter chain
+      log.missingBearerToken();
+      sendUnauthorized(response);
+      return; // break the chain
     }
   }
+
+  private void sendUnauthorized(ServletResponse response) throws IOException {
+    ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
+    return;
+  }
   
   private void continueWithEstablishedSecurityContext(Subject subject, final HttpServletRequest
request, final HttpServletResponse response, final FilterChain chain) throws IOException,
ServletException {
     try {
@@ -123,18 +133,13 @@ public class AccessTokenFederationFilter implements Filter {
 
     HashSet emptySet = new HashSet();
     Set<Principal> principals = new HashSet<Principal>();
-    Principal p = new Principal() {
-      @Override
-      public String getName() {
-        return principal;
-      }
-    };
+    Principal p = new PrimaryPrincipal(principal);
     principals.add(p);
     
 //        The newly constructed Sets check whether this Subject has been set read-only 
 //        before permitting subsequent modifications. The newly created Sets also prevent

 //        illegal modifications by ensuring that callers have sufficient permissions.
- //
+//
 //        To modify the Principals Set, the caller must have AuthPermission("modifyPrincipals").

 //        To modify the public credential Set, the caller must have AuthPermission("modifyPublicCredentials").

 //        To modify the private credential Set, the caller must have AuthPermission("modifyPrivateCredentials").

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/b5f30206/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
index 45d2b9d..f4d0ae8 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
@@ -132,7 +132,7 @@ public class JWTAccessTokenAssertionFilter extends AbstractIdentityAssertionFilt
         return principalName;
       }
     };
-    JWTToken token = authority.issueToken(p, serviceName, "RS256");
+    JWTToken token = authority.issueToken(p, serviceName, "RS256", expires);
     accessToken = token.toString();
     
     return accessToken;

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/b5f30206/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
index 21cef3f..b72912a 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
@@ -50,11 +50,15 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority,
Service {
     return issueToken(p, null, algorithm);
   }
   
+  public JWTToken issueToken(Principal p, String audience, String algorithm) {
+    return issueToken(p, audience, algorithm, -1);
+  }
+  
   /* (non-Javadoc)
    * @see org.apache.hadoop.gateway.provider.federation.jwt.JWTokenAuthority#issueToken(java.security.Principal,
java.lang.String, java.lang.String)
    */
   @Override
-  public JWTToken issueToken(Principal p, String audience, String algorithm) {
+  public JWTToken issueToken(Principal p, String audience, String algorithm, long expires)
{
     String[] claimArray = new String[4];
     claimArray[0] = "HSSO";
     claimArray[1] = p.getName();
@@ -63,7 +67,12 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority,
Service {
     }
     claimArray[2] = audience;
     // TODO: make the validity period configurable
-    claimArray[3] = Long.toString( ( System.currentTimeMillis()/1000 ) + 300);
+    if (expires == -1) {
+      claimArray[3] = Long.toString( ( System.currentTimeMillis() ) + 30000);
+    }
+    else {
+      claimArray[3] = String.valueOf(expires);
+    }
 
     JWTToken token = null;
     if ("RS256".equals(algorithm)) {

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/b5f30206/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
index e603ff3..f2e4a3d 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/JWTokenAuthority.java
@@ -25,12 +25,15 @@ import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
 
 public interface JWTokenAuthority {
 
-  public abstract JWTToken issueToken(Subject subject, String algorithm);
+  JWTToken issueToken(Subject subject, String algorithm);
 
-  public abstract JWTToken issueToken(Principal p, String algorithm);
+  JWTToken issueToken(Principal p, String algorithm);
 
-  public abstract JWTToken issueToken(Principal p, String audience,
+  JWTToken issueToken(Principal p, String audience,
       String algorithm);
 
-  public abstract boolean verifyToken(JWTToken token);
+  boolean verifyToken(JWTToken token);
+
+  JWTToken issueToken(Principal p, String audience, String algorithm,
+      long expires);
 }
\ No newline at end of file


Mime
View raw message