knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject knox git commit: KNOX-693 - KnoxSSO Token Expiration should be Optional
Date Wed, 16 Mar 2016 17:51:25 GMT
Repository: knox
Updated Branches:
  refs/heads/master 51194fbbe -> 7819df638


KNOX-693 - KnoxSSO Token Expiration should be Optional

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/7819df63
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/7819df63
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/7819df63

Branch: refs/heads/master
Commit: 7819df6387a0726acae01f8f6942c7331d4a5420
Parents: 51194fb
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Wed Mar 16 13:51:06 2016 -0400
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Wed Mar 16 13:51:06 2016 -0400

----------------------------------------------------------------------
 .../jwt/filter/SSOCookieFederationFilter.java   |  5 +++-
 .../impl/DefaultTokenAuthorityService.java      |  2 +-
 .../gateway/service/knoxsso/WebSSOResource.java | 13 ++++++++-
 .../token/impl/JWTProviderMessages.java         | 13 +++++++++
 .../services/security/token/impl/JWTToken.java  | 30 ++++++++++----------
 5 files changed, 45 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
index 297e549..6286655 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
@@ -136,7 +136,10 @@ public class SSOCookieFederationFilter implements Filter {
         verified = authority.verifyToken(token);
         if (verified) {
           Date expires = token.getExpiresDate();
-          if (expires != null && new Date().before(expires)) {
+          // if there is no expiration data then the lifecycle is tied entirely to
+          // the cookie validity - otherwise ensure that the current time is before
+          // the designated expiration time
+          if (expires == null || expires != null && new Date().before(expires)) {
             boolean audValid = validateAudiences(token);
             if (audValid) {
               Subject subject = createSubjectFromToken(token);

http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
index bd54956..368baff 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
@@ -111,7 +111,7 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority,
Service {
     claimArray[1] = p.getName();
     claimArray[2] = null;
     if (expires == -1) {
-      claimArray[3] = Long.toString( ( System.currentTimeMillis() ) + 30000);
+      claimArray[3] = null;
     }
     else {
       claimArray[3] = String.valueOf(expires);

http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
----------------------------------------------------------------------
diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
index 1daa514..a56091e 100644
--- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
+++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
@@ -166,7 +166,7 @@ public class WebSSOResource {
     Principal p = ((HttpServletRequest)request).getUserPrincipal();
 
     try {
-      JWT token = ts.issueToken(p, "RS256", System.currentTimeMillis() + tokenTTL);
+      JWT token = ts.issueToken(p, "RS256", getExpiry());
       // Coverity CID 1327959
       if( token != null ) {
         addJWTHadoopCookie( original, token );
@@ -208,6 +208,17 @@ public class WebSSOResource {
     return Response.seeOther(location).entity("{ \"redirectTo\" : " + original + " }").build();
   }
 
+  private long getExpiry() {
+    long expiry = 0l;
+    if (tokenTTL == -1) {
+      expiry = -1;
+    }
+    else {
+      expiry = System.currentTimeMillis() + tokenTTL;
+    }
+    return expiry;
+  }
+
   private void addJWTHadoopCookie(String original, JWT token) {
     log.addingJWTCookie(token.toString());
     Cookie c = new Cookie(JWT_COOKIE_NAME,  token.toString());

http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java
b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java
index 1b0b1ee..cf3566c 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java
@@ -17,11 +17,15 @@
  */
 package org.apache.hadoop.gateway.services.security.token.impl;
 
+import java.text.ParseException;
+
 import org.apache.hadoop.gateway.i18n.messages.Message;
 import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
 import org.apache.hadoop.gateway.i18n.messages.Messages;
 import org.apache.hadoop.gateway.i18n.messages.StackTrace;
 
+import com.nimbusds.jose.JOSEException;
+
 /**
  *
  */
@@ -45,4 +49,13 @@ public interface JWTProviderMessages {
 
   @Message( level = MessageLevel.FATAL, text = "Unsupported encoding: {0}" )
   void unsupportedEncoding( @StackTrace( level = MessageLevel.DEBUG ) Exception e );
+
+  @Message( level = MessageLevel.ERROR, text = "Unable to parse JWT token: {0}" )
+  void unableToParseToken(ParseException e);
+
+  @Message( level = MessageLevel.ERROR, text = "Unable to sign JWT token: {0}" )
+  void unableToSignToken(JOSEException e);
+
+  @Message( level = MessageLevel.ERROR, text = "Unable to verify JWT token: {0}" )
+  void unableToVerifyToken(JOSEException e);
 }

http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
index 4b1e2b0..e0090c7 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
@@ -53,7 +53,7 @@ public class JWTToken implements JWT {
     try {
       jwt = SignedJWT.parse(serializedJWT);
     } catch (ParseException e) {
-      e.printStackTrace();
+      log.unableToParseToken(e);
     }
   }
 
@@ -70,12 +70,16 @@ public class JWTToken implements JWT {
       }
       audiences.add(claimsArray[2]);
     }
-    JWTClaimsSet claims = new JWTClaimsSet.Builder()
+    JWTClaimsSet claims = null;
+    JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder()
     .issuer(claimsArray[0])
     .subject(claimsArray[1])
-    .audience(audiences)
-    .expirationTime(new Date(Long.parseLong(claimsArray[3])))
-    .build();
+    .audience(audiences);
+    if(claimsArray[3] != null) {
+      builder = builder.expirationTime(new Date(Long.parseLong(claimsArray[3])));
+    }
+    
+    claims = builder.build();
 
     jwt = new SignedJWT(header, claims);
   }
@@ -100,7 +104,7 @@ public class JWTToken implements JWT {
       claims = (JWTClaimsSet) jwt.getJWTClaimsSet();
       c = claims.toJSONObject().toJSONString();
     } catch (ParseException e) {
-      e.printStackTrace();
+      log.unableToParseToken(e);
     }
     return c;
   }
@@ -160,8 +164,7 @@ public class JWTToken implements JWT {
     try {
       claim = jwt.getJWTClaimsSet().getStringClaim(claimName);
     } catch (ParseException e) {
-      // TODO Auto-generated catch block
-      e.printStackTrace();
+      log.unableToParseToken(e);
     }
     
     return claim;
@@ -209,8 +212,7 @@ public class JWTToken implements JWT {
     try {
       claims = jwt.getJWTClaimsSet().getStringArrayClaim(JWT.AUDIENCE);
     } catch (ParseException e) {
-      // TODO Auto-generated catch block
-      e.printStackTrace();
+      log.unableToParseToken(e);
     }
 
     return claims;
@@ -230,8 +232,7 @@ public class JWTToken implements JWT {
     try {
       date = jwt.getJWTClaimsSet().getExpirationTime();
     } catch (ParseException e) {
-      // TODO Auto-generated catch block
-      e.printStackTrace();
+      log.unableToParseToken(e);
     }
     return date;
   }
@@ -253,8 +254,7 @@ public class JWTToken implements JWT {
     try {
       jwt.sign(signer);
     } catch (JOSEException e) {
-      // TODO Auto-generated catch block
-      e.printStackTrace();
+      log.unableToSignToken(e);
     }
   }
 
@@ -269,7 +269,7 @@ public class JWTToken implements JWT {
       rc = jwt.verify(verifier);
     } catch (JOSEException e) {
       // TODO Auto-generated catch block
-      e.printStackTrace();
+      log.unableToVerifyToken(e);
     }
     
     return rc;


Mime
View raw message