You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2016/03/16 18:51:25 UTC
knox git commit: KNOX-693 - KnoxSSO Token Expiration should be
Optional
Repository: knox
Updated Branches:
refs/heads/master 51194fbbe -> 7819df638
KNOX-693 - KnoxSSO Token Expiration should be Optional
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/7819df63
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/7819df63
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/7819df63
Branch: refs/heads/master
Commit: 7819df6387a0726acae01f8f6942c7331d4a5420
Parents: 51194fb
Author: Larry McCay <lm...@hortonworks.com>
Authored: Wed Mar 16 13:51:06 2016 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Wed Mar 16 13:51:06 2016 -0400
----------------------------------------------------------------------
.../jwt/filter/SSOCookieFederationFilter.java | 5 +++-
.../impl/DefaultTokenAuthorityService.java | 2 +-
.../gateway/service/knoxsso/WebSSOResource.java | 13 ++++++++-
.../token/impl/JWTProviderMessages.java | 13 +++++++++
.../services/security/token/impl/JWTToken.java | 30 ++++++++++----------
5 files changed, 45 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
index 297e549..6286655 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
@@ -136,7 +136,10 @@ public class SSOCookieFederationFilter implements Filter {
verified = authority.verifyToken(token);
if (verified) {
Date expires = token.getExpiresDate();
- if (expires != null && new Date().before(expires)) {
+ // if there is no expiration data then the lifecycle is tied entirely to
+ // the cookie validity - otherwise ensure that the current time is before
+ // the designated expiration time
+ if (expires == null || expires != null && new Date().before(expires)) {
boolean audValid = validateAudiences(token);
if (audValid) {
Subject subject = createSubjectFromToken(token);
http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
index bd54956..368baff 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java
@@ -111,7 +111,7 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority, Service {
claimArray[1] = p.getName();
claimArray[2] = null;
if (expires == -1) {
- claimArray[3] = Long.toString( ( System.currentTimeMillis() ) + 30000);
+ claimArray[3] = null;
}
else {
claimArray[3] = String.valueOf(expires);
http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
----------------------------------------------------------------------
diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
index 1daa514..a56091e 100644
--- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
+++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
@@ -166,7 +166,7 @@ public class WebSSOResource {
Principal p = ((HttpServletRequest)request).getUserPrincipal();
try {
- JWT token = ts.issueToken(p, "RS256", System.currentTimeMillis() + tokenTTL);
+ JWT token = ts.issueToken(p, "RS256", getExpiry());
// Coverity CID 1327959
if( token != null ) {
addJWTHadoopCookie( original, token );
@@ -208,6 +208,17 @@ public class WebSSOResource {
return Response.seeOther(location).entity("{ \"redirectTo\" : " + original + " }").build();
}
+ private long getExpiry() {
+ long expiry = 0l;
+ if (tokenTTL == -1) {
+ expiry = -1;
+ }
+ else {
+ expiry = System.currentTimeMillis() + tokenTTL;
+ }
+ return expiry;
+ }
+
private void addJWTHadoopCookie(String original, JWT token) {
log.addingJWTCookie(token.toString());
Cookie c = new Cookie(JWT_COOKIE_NAME, token.toString());
http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java
index 1b0b1ee..cf3566c 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java
@@ -17,11 +17,15 @@
*/
package org.apache.hadoop.gateway.services.security.token.impl;
+import java.text.ParseException;
+
import org.apache.hadoop.gateway.i18n.messages.Message;
import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
import org.apache.hadoop.gateway.i18n.messages.Messages;
import org.apache.hadoop.gateway.i18n.messages.StackTrace;
+import com.nimbusds.jose.JOSEException;
+
/**
*
*/
@@ -45,4 +49,13 @@ public interface JWTProviderMessages {
@Message( level = MessageLevel.FATAL, text = "Unsupported encoding: {0}" )
void unsupportedEncoding( @StackTrace( level = MessageLevel.DEBUG ) Exception e );
+
+ @Message( level = MessageLevel.ERROR, text = "Unable to parse JWT token: {0}" )
+ void unableToParseToken(ParseException e);
+
+ @Message( level = MessageLevel.ERROR, text = "Unable to sign JWT token: {0}" )
+ void unableToSignToken(JOSEException e);
+
+ @Message( level = MessageLevel.ERROR, text = "Unable to verify JWT token: {0}" )
+ void unableToVerifyToken(JOSEException e);
}
http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
index 4b1e2b0..e0090c7 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java
@@ -53,7 +53,7 @@ public class JWTToken implements JWT {
try {
jwt = SignedJWT.parse(serializedJWT);
} catch (ParseException e) {
- e.printStackTrace();
+ log.unableToParseToken(e);
}
}
@@ -70,12 +70,16 @@ public class JWTToken implements JWT {
}
audiences.add(claimsArray[2]);
}
- JWTClaimsSet claims = new JWTClaimsSet.Builder()
+ JWTClaimsSet claims = null;
+ JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder()
.issuer(claimsArray[0])
.subject(claimsArray[1])
- .audience(audiences)
- .expirationTime(new Date(Long.parseLong(claimsArray[3])))
- .build();
+ .audience(audiences);
+ if(claimsArray[3] != null) {
+ builder = builder.expirationTime(new Date(Long.parseLong(claimsArray[3])));
+ }
+
+ claims = builder.build();
jwt = new SignedJWT(header, claims);
}
@@ -100,7 +104,7 @@ public class JWTToken implements JWT {
claims = (JWTClaimsSet) jwt.getJWTClaimsSet();
c = claims.toJSONObject().toJSONString();
} catch (ParseException e) {
- e.printStackTrace();
+ log.unableToParseToken(e);
}
return c;
}
@@ -160,8 +164,7 @@ public class JWTToken implements JWT {
try {
claim = jwt.getJWTClaimsSet().getStringClaim(claimName);
} catch (ParseException e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
+ log.unableToParseToken(e);
}
return claim;
@@ -209,8 +212,7 @@ public class JWTToken implements JWT {
try {
claims = jwt.getJWTClaimsSet().getStringArrayClaim(JWT.AUDIENCE);
} catch (ParseException e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
+ log.unableToParseToken(e);
}
return claims;
@@ -230,8 +232,7 @@ public class JWTToken implements JWT {
try {
date = jwt.getJWTClaimsSet().getExpirationTime();
} catch (ParseException e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
+ log.unableToParseToken(e);
}
return date;
}
@@ -253,8 +254,7 @@ public class JWTToken implements JWT {
try {
jwt.sign(signer);
} catch (JOSEException e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
+ log.unableToSignToken(e);
}
}
@@ -269,7 +269,7 @@ public class JWTToken implements JWT {
rc = jwt.verify(verifier);
} catch (JOSEException e) {
// TODO Auto-generated catch block
- e.printStackTrace();
+ log.unableToVerifyToken(e);
}
return rc;