You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ja...@apache.org on 2022/03/11 12:22:33 UTC
[solr] branch branch_9x updated: SOLR-16090 Better error message when JWT auth SIGNATURE_INVALID during token parsing (#737)
This is an automated email from the ASF dual-hosted git repository.
janhoy pushed a commit to branch branch_9x
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/branch_9x by this push:
new dea7402 SOLR-16090 Better error message when JWT auth SIGNATURE_INVALID during token parsing (#737)
dea7402 is described below
commit dea7402e51bcb1d11ba65aca19deb9018a6a9a9e
Author: Jan Høydahl <ja...@users.noreply.github.com>
AuthorDate: Fri Mar 11 13:11:43 2022 +0100
SOLR-16090 Better error message when JWT auth SIGNATURE_INVALID during token parsing (#737)
(cherry picked from commit cf27e77daf3bd425cbd9c1b8ee7607357432a3be)
---
solr/CHANGES.txt | 2 ++
.../apache/solr/security/jwt/JWTAuthPlugin.java | 37 ++++++++++++----------
2 files changed, 23 insertions(+), 16 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index fc318db..b07e942 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -671,6 +671,8 @@ Bug Fixes
* SOLR-15983: Fix ClassCastException in UpdateLog$LogReplayer.doReplay. (Christine Poerschke, David Smiley)
+* SOLR-16090: Better error message when JWT auth SIGNATURE_INVALID during token parsing (janhoy)
+
* SOLR-15333: Reduced spurious warn logging by AbstractSpatialPrefixTreeFieldType field properties (Steffen Moldenhauer, David Smiley, Mike Drob)
================== 8.11.2 ==================
diff --git a/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java b/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
index 83fcb48..0b46806 100644
--- a/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
+++ b/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
@@ -405,24 +405,29 @@ public class JWTAuthPlugin extends AuthenticationPlugin
String exceptionMessage =
authResponse.getJwtException() != null ? authResponse.getJwtException().getMessage() : "";
if (AuthCode.SIGNATURE_INVALID.equals(authResponse.getAuthCode())) {
- String issuer = jwtConsumer.processToClaims(header).getIssuer();
- if (issuer != null) {
- Optional<JWTIssuerConfig> issuerConfig =
- issuerConfigs.stream().filter(ic -> issuer.equals(ic.getIss())).findFirst();
- if (issuerConfig.isPresent() && issuerConfig.get().usesHttpsJwk()) {
- log.info(
- "Signature validation failed for issuer {}. Refreshing JWKs from IdP before trying again: {}",
- issuer,
- exceptionMessage);
- for (HttpsJwks httpsJwks : issuerConfig.get().getHttpsJwks()) {
- httpsJwks.refresh();
+ String jwt = parseAuthorizationHeader(header);
+ try {
+ String issuer = jwtConsumer.processToClaims(jwt).getIssuer();
+ if (issuer != null) {
+ Optional<JWTIssuerConfig> issuerConfig =
+ issuerConfigs.stream().filter(ic -> issuer.equals(ic.getIss())).findFirst();
+ if (issuerConfig.isPresent() && issuerConfig.get().usesHttpsJwk()) {
+ log.info(
+ "Signature validation failed for issuer {}. Refreshing JWKs from IdP before trying again: {}",
+ issuer,
+ exceptionMessage);
+ for (HttpsJwks httpsJwks : issuerConfig.get().getHttpsJwks()) {
+ httpsJwks.refresh();
+ }
+ authResponse = authenticate(header); // Retry
+ exceptionMessage =
+ authResponse.getJwtException() != null
+ ? authResponse.getJwtException().getMessage()
+ : "";
}
- authResponse = authenticate(header); // Retry
- exceptionMessage =
- authResponse.getJwtException() != null
- ? authResponse.getJwtException().getMessage()
- : "";
}
+ } catch (InvalidJwtException ex) {
+ /* ignored */
}
}