You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by eo...@apache.org on 2021/05/26 06:47:49 UTC
[pulsar] branch branch-2.6 updated: Disallow parsing of token with
none signature in authenticateToken (#9172)
This is an automated email from the ASF dual-hosted git repository.
eolivelli pushed a commit to branch branch-2.6
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/branch-2.6 by this push:
new 67e7e0c Disallow parsing of token with none signature in authenticateToken (#9172)
67e7e0c is described below
commit 67e7e0cd23157ebbc8c18f40ce0eb87f600dafb6
Author: Zixuan Liu <no...@gmail.com>
AuthorDate: Tue Feb 9 16:27:09 2021 +0800
Disallow parsing of token with none signature in authenticateToken (#9172)
Signed-off-by: Zixuan Liu <no...@gmail.com>
### Motivation
If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens (JWT), the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user (incl. admins).
### Modifications
- using `parseClaimsJws` instead of `parse`
`parseClaimsJws` can guarantees the correct security model for parsing signed JWTs.
(cherry picked from commit 71bc84164610ff15ff7c5747f923d09b57787e0a)
---
.../AuthenticationProviderToken.java | 4 +---
.../AuthenticationProviderTokenTest.java | 28 ++++++++++++++++++++++
2 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java
index 66971e3..2c3e28c 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderToken.java
@@ -164,9 +164,7 @@ public class AuthenticationProviderToken implements AuthenticationProvider {
@SuppressWarnings("unchecked")
private Jwt<?, Claims> authenticateToken(final String token) throws AuthenticationException {
try {
- Jwt<?, Claims> jwt = Jwts.parser()
- .setSigningKey(validationKey)
- .parse(token);
+ Jwt<?, Claims> jwt = Jwts.parserBuilder().setSigningKey(validationKey).build().parseClaimsJws(token);
if (audienceClaim != null) {
Object object = jwt.getBody().get(audienceClaim);
diff --git a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTokenTest.java b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTokenTest.java
index 60fa5f6..78e957b 100644
--- a/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTokenTest.java
+++ b/pulsar-broker-common/src/test/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTokenTest.java
@@ -173,6 +173,34 @@ public class AuthenticationProviderTokenTest {
});
assertEquals(subject, SUBJECT);
+ /**
+ * HEADER:ALGORITHM & TOKEN TYPE
+ * {
+ * "alg": "none"
+ * }
+ * PAYLOAD:DATA
+ * {
+ * "sub": "test-user"
+ * }
+ */
+ String tokenWithNoneAlg = "eyJhbGciOiJub25lIn0.eyJzdWIiOiJ0ZXN0LXVzZXIifQ.";
+ try {
+ provider.authenticate(new AuthenticationDataSource() {
+ @Override
+ public boolean hasDataFromCommand() {
+ return true;
+ }
+
+ @Override
+ public String getCommandData() {
+ return tokenWithNoneAlg;
+ }
+ });
+ fail("Should have failed");
+ } catch (AuthenticationException e) {
+ // expected, Unsigned Claims JWTs are not supported.
+ }
+
// Expired token. This should be rejected by the authentication provider
String expiredToken = AuthTokenUtils.createToken(secretKey, SUBJECT,
Optional.of(new Date(System.currentTimeMillis() - TimeUnit.HOURS.toMillis(1))));