Repository: knox Updated Branches: refs/heads/master 3df51f870 -> 76770fbea
KNOX-1152 - Guard Against Missing Subject in Identity Assertion (Rick Kellogg via Kevin Risden) Signed-off-by: Kevin Risden <kris...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/76770fbe Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/76770fbe Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/76770fbe Branch: refs/heads/master Commit: 76770fbea66c12f31674c13755374d65fe058b76 Parents: 3df51f8 Author: Kevin Risden <kris...@apache.org> Authored: Fri Oct 5 09:40:19 2018 -0400 Committer: Kevin Risden <kris...@apache.org> Committed: Fri Oct 19 21:59:05 2018 -0400 ---------------------------------------------------------------------- .../org/apache/knox/gateway/IdentityAsserterMessages.java | 2 ++ .../common/filter/AbstractIdentityAssertionFilter.java | 9 +++++++++ .../common/filter/CommonIdentityAssertionFilter.java | 9 +++++++++ 3 files changed, 20 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/76770fbe/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java index 451742d..f72e697 100644 --- a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java +++ b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java @@ -28,4 +28,6 @@ public interface IdentityAsserterMessages { @Message( level = MessageLevel.WARN, text = "Skipping unencodable parameter {0}={1}, {2}: {3}" ) void skippingUnencodableParameter( String name, String value, String encoding, @StackTrace( level = MessageLevel.DEBUG ) Exception e ); + @Message( level = MessageLevel.ERROR, text = "Required subject/identity not available. Check authentication/federation provider for proper configuration." ) + void subjectNotAvailable(); } http://git-wip-us.apache.org/repos/asf/knox/blob/76770fbe/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/AbstractIdentityAssertionFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/AbstractIdentityAssertionFilter.java b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/AbstractIdentityAssertionFilter.java index ac09c0a..b2c1c07 100644 --- a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/AbstractIdentityAssertionFilter.java +++ b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/AbstractIdentityAssertionFilter.java @@ -34,6 +34,7 @@ import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; +import org.apache.knox.gateway.IdentityAsserterMessages; import org.apache.knox.gateway.audit.api.Action; import org.apache.knox.gateway.audit.api.ActionOutcome; import org.apache.knox.gateway.audit.api.AuditService; @@ -43,6 +44,7 @@ import org.apache.knox.gateway.audit.api.ResourceType; import org.apache.knox.gateway.audit.log4j.audit.AuditConstants; import org.apache.knox.gateway.filter.security.AbstractIdentityAssertionBase; import org.apache.knox.gateway.i18n.GatewaySpiResources; +import org.apache.knox.gateway.i18n.messages.MessagesFactory; import org.apache.knox.gateway.i18n.resources.ResourcesFactory; import org.apache.knox.gateway.security.GroupPrincipal; import org.apache.knox.gateway.security.ImpersonatedPrincipal; @@ -54,6 +56,8 @@ import org.apache.knox.gateway.security.PrimaryPrincipal; public abstract class AbstractIdentityAssertionFilter extends AbstractIdentityAssertionBase implements Filter { + private IdentityAsserterMessages LOG = MessagesFactory.get(IdentityAsserterMessages.class); + private static final GatewaySpiResources RES = ResourcesFactory.get( GatewaySpiResources.class ); private static AuditService auditService = AuditServiceFactory.getAuditService(); private static Auditor auditor = auditService.getAuditor( @@ -108,6 +112,11 @@ public abstract class AbstractIdentityAssertionFilter extends // look up the current Java Subject and assosciated group principals Subject currentSubject = Subject.getSubject(AccessController.getContext()); + if (currentSubject == null) { + LOG.subjectNotAvailable(); + throw new IllegalStateException("Required Subject Missing"); + } + Set<?> currentGroups = currentSubject.getPrincipals(GroupPrincipal.class); primaryPrincipal = (PrimaryPrincipal) currentSubject.getPrincipals(PrimaryPrincipal.class).toArray()[0]; http://git-wip-us.apache.org/repos/asf/knox/blob/76770fbe/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java index 16293c6..a143f27 100644 --- a/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java +++ b/gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java @@ -27,6 +27,8 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.apache.commons.lang.ArrayUtils; +import org.apache.knox.gateway.IdentityAsserterMessages; +import org.apache.knox.gateway.i18n.messages.MessagesFactory; import org.apache.knox.gateway.security.principal.PrincipalMappingException; import org.apache.knox.gateway.security.principal.SimplePrincipalMapper; @@ -34,6 +36,8 @@ import java.io.IOException; import java.security.AccessController; public class CommonIdentityAssertionFilter extends AbstractIdentityAssertionFilter { + private IdentityAsserterMessages LOG = MessagesFactory.get(IdentityAsserterMessages.class); + private static final String GROUP_PRINCIPAL_MAPPING = "group.principal.mapping"; private static final String PRINCIPAL_MAPPING = "principal.mapping"; private SimplePrincipalMapper mapper = new SimplePrincipalMapper(); @@ -76,6 +80,11 @@ public class CommonIdentityAssertionFilter extends AbstractIdentityAssertionFilt throws IOException, ServletException { Subject subject = Subject.getSubject(AccessController.getContext()); + if (subject == null) { + LOG.subjectNotAvailable(); + throw new IllegalStateException("Required Subject Missing"); + } + String principalName = getPrincipalName(subject); String mappedPrincipalName = mapUserPrincipalBase(principalName);