[GitHub] [knox] lmccay commented on a change in pull request #367: KNOX-2413 - Added JWT support in HadoopAuth provider

[GitBox <gi...@apache.org>]

lmccay commented on a change in pull request #367:
URL: https://github.com/apache/knox/pull/367#discussion_r463320044



##########
File path: gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java
##########
@@ -116,11 +125,34 @@ public void init(FilterConfig filterConfig) throws ServletException {
     }
 
     super.init(filterConfig);
+
+    final String supportJwt = filterConfig.getInitParameter(SUPPORT_JWT);
+    final boolean jwtSupported = Boolean.parseBoolean(supportJwt == null ? "false" : supportJwt);
+    if (jwtSupported) {
+      jwtFilter = new JWTFederationFilter();
+      ((GatewayFilter.Holder)filterConfig).removeParamPrefix(JWT_PREFIX);
+      jwtFilter.init(filterConfig);
+      LOG.initializedJwtFilter();
+    }
   }
 
   @Override
-  protected void doFilter(FilterChain filterChain, HttpServletRequest request,
-                          HttpServletResponse response) throws IOException, ServletException {
+  public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+    if (shouldUseJwtFilter(jwtFilter, filterChain, (HttpServletRequest) request, (HttpServletResponse) response)) {

Review comment:
       It seems like a client with the intent to use JWT that sends an expired token will end up with a kerberos challenge here. I can imagine argument for both sides of this but I think that we probably want to allow the JWT validation failure be reflected in the response rather than falling back to kerberos.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org