Repository: zeppelin Updated Branches: refs/heads/branch-0.8 7f16c5d1e -> 3da7bd683
[ZEPPELIN-3311] Zeppelin should ask user to re-login after JWT cookie expires (KnoxJwtRealm) Zeppelin should ask user to re-login after JWT cookie expires. [Bug Fix] * [ZEPPELIN-3311](https://issues.apache.org/jira/browse/ZEPPELIN-3311) Steps to reproduce : 1) Enable SSO for zeppelin 2) Login to zeppelin using SSO. 3) Now wait till JWT expires(knoxsso.token.ttl under Advanced knoxsso-topology could be set to lower values to get a short lived cookie) 4) Refresh zeppelin. Zeppelin doesn't ask for re-login, though JWT is already expired and not valid anymore. * Does the licenses files need update? N/A * Is there breaking changes for older versions? N/A * Does this needs documentation? N/A Author: Prabhjyot Singh <prabhjyotsi...@gmail.com> Closes #2941 from prabhjyotsingh/ZEPPELIN-3311 and squashes the following commits: 0014d5ad8 [Prabhjyot Singh] ZEPPELIN-3311: Zeppelin should ask user to re-login after JWT cookie expires (KnoxJwtRealm) Change-Id: Ie113f6078974cf914d259fae3d2987cf8364d71c (cherry picked from commit 5632d2cd94b9ea8646ba5382be993598e2640a6f) Signed-off-by: Renjith Kamath <rkam...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/3da7bd68 Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/3da7bd68 Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/3da7bd68 Branch: refs/heads/branch-0.8 Commit: 3da7bd68374b3cf7f092a8e164d77c2465a6aca2 Parents: 7f16c5d Author: Prabhjyot Singh <prabhjyotsi...@gmail.com> Authored: Tue Apr 24 15:42:55 2018 +0530 Committer: Renjith Kamath <rkam...@apache.org> Committed: Wed Apr 25 14:44:30 2018 +0530 ---------------------------------------------------------------------- .../apache/zeppelin/realm/jwt/KnoxJwtRealm.java | 40 +++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zeppelin/blob/3da7bd68/zeppelin-server/src/main/java/org/apache/zeppelin/realm/jwt/KnoxJwtRealm.java ---------------------------------------------------------------------- diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/realm/jwt/KnoxJwtRealm.java b/zeppelin-server/src/main/java/org/apache/zeppelin/realm/jwt/KnoxJwtRealm.java index a903e6e..d3a2759 100644 --- a/zeppelin-server/src/main/java/org/apache/zeppelin/realm/jwt/KnoxJwtRealm.java +++ b/zeppelin-server/src/main/java/org/apache/zeppelin/realm/jwt/KnoxJwtRealm.java @@ -30,6 +30,7 @@ import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.security.interfaces.RSAPublicKey; import java.text.ParseException; +import java.util.Date; import java.util.HashSet; import java.util.List; import java.util.Set; @@ -128,7 +129,17 @@ public class KnoxJwtRealm extends AuthorizingRealm { protected boolean validateToken(String token) { try { SignedJWT signed = SignedJWT.parse(token); - return validateSignature(signed); + boolean sigValid = validateSignature(signed); + if (!sigValid) { + LOGGER.warn("Signature of JWT token could not be verified. Please check the public key"); + return false; + } + boolean expValid = validateExpiration(signed); + if (!expValid) { + LOGGER.warn("Expiration time validation of JWT token failed."); + return false; + } + return true; } catch (ParseException ex) { LOGGER.info("ParseException in validateToken", ex); return false; @@ -184,6 +195,33 @@ public class KnoxJwtRealm extends AuthorizingRealm { return valid; } + /** + * Validate that the expiration time of the JWT token has not been violated. + * If it has then throw an AuthenticationException. Override this method in + * subclasses in order to customize the expiration validation behavior. + * + * @param jwtToken + * the token that contains the expiration date to validate + * @return valid true if the token has not expired; false otherwise + */ + protected boolean validateExpiration(SignedJWT jwtToken) { + boolean valid = false; + try { + Date expires = jwtToken.getJWTClaimsSet().getExpirationTime(); + if (expires == null || new Date().before(expires)) { + if (LOGGER.isDebugEnabled()) { + LOGGER.debug("SSO token expiration date has been " + "successfully validated"); + } + valid = true; + } else { + LOGGER.warn("SSO expiration date validation failed."); + } + } catch (ParseException pe) { + LOGGER.warn("SSO expiration date validation failed.", pe); + } + return valid; + } + @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { Set<String> roles = mapGroupPrincipals(principals.toString());