You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by am...@apache.org on 2023/06/09 11:47:44 UTC

[knox] branch master updated: KNOX-2898 - Reconsider the usage of sso.unauthenticated.path.list (#756)

This is an automated email from the ASF dual-hosted git repository.

amagyar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new 1d65e691c KNOX-2898 - Reconsider the usage of sso.unauthenticated.path.list (#756)
1d65e691c is described below

commit 1d65e691c3b0627924bf541ec9f9dcfc40c6dc0e
Author: Attila Magyar <m....@gmail.com>
AuthorDate: Fri Jun 9 13:47:39 2023 +0200

    KNOX-2898 - Reconsider the usage of sso.unauthenticated.path.list (#756)
---
 .../jwt/filter/SSOCookieFederationFilter.java         | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
index cf6767b6f..f1b86f50f 100644
--- a/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
+++ b/gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java
@@ -134,17 +134,18 @@ public class SSOCookieFederationFilter extends AbstractJWTFilter {
     HttpServletRequest req = (HttpServletRequest) request;
     HttpServletResponse res = (HttpServletResponse) response;
 
+    /* check for unauthenticated paths to bypass */
+    if(AuthFilterUtils.doesRequestContainUnauthPath(unAuthenticatedPaths, request)) {
+      /* This path is configured as an unauthenticated path let the request through */
+      final Subject sub = new Subject();
+      sub.getPrincipals().add(new PrimaryPrincipal("anonymous"));
+      LOGGER.unauthenticatedPathBypass(req.getRequestURI(), unAuthenticatedPaths.toString());
+      continueWithEstablishedSecurityContext(sub, req, res, chain);
+      return;
+    }
+
     List<Cookie> ssoCookies = CookieUtils.getCookiesForName(req, cookieName);
     if (ssoCookies.isEmpty()) {
-      /* check for unauthenticated paths to bypass */
-      if(AuthFilterUtils.doesRequestContainUnauthPath(unAuthenticatedPaths, request)) {
-        /* This path is configured as an unauthenticated path let the request through */
-        final Subject sub = new Subject();
-        sub.getPrincipals().add(new PrimaryPrincipal("anonymous"));
-        LOGGER.unauthenticatedPathBypass(req.getRequestURI(), unAuthenticatedPaths.toString());
-        continueWithEstablishedSecurityContext(sub, req, res, chain);
-      }
-
       if ("OPTIONS".equals(req.getMethod())) {
         // CORS preflight requests to determine allowed origins and related config
         // must be able to continue without being redirected