[jira] [Work logged] (KNOX-2566) JWT Token Signature Verification Caching NPE

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2566?focusedWorklogId=575545&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-575545
 ]

ASF GitHub Bot logged work on KNOX-2566:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 01/Apr/21 14:45
            Start Date: 01/Apr/21 14:45
    Worklog Time Spent: 10m 
      Work Description: pzampino commented on a change in pull request #427:
URL: https://github.com/apache/knox/pull/427#discussion_r605715619



##########
File path: 
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
##########
@@ -385,12 +387,18 @@ protected boolean validateToken(final HttpServletRequest 
request,
 
     if (tokenStateService != null) {
       try {
-        if (tokenIsStillValid(tokenId)) {
-          return true;
+        if (tokenId != null) {
+          if (tokenIsStillValid(tokenId)) {
+            return true;
+          } else {
+            log.tokenHasExpired(Tokens.getTokenIDDisplayText(tokenId));
+            handleValidationError(request, response, 
HttpServletResponse.SC_BAD_REQUEST,
+                    "Bad request: token has expired");
+          }
         } else {
-          log.tokenHasExpired(Tokens.getTokenIDDisplayText(tokenId));
+          log.missingTokenPasscode();
           handleValidationError(request, response, 
HttpServletResponse.SC_BAD_REQUEST,
-                                "Bad request: token has expired");

Review comment:
       Again, this code is not applicable to the cases where a JWT is provided 
for authentication; It is only for those cases where ONLY the token ID is 
provided, in which case the server-managed token state is absolutely necessary 
since there is nothing about the ID which can be verified by itself.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 575545)
    Time Spent: 40m  (was: 0.5h)

> JWT Token Signature Verification Caching NPE
> --------------------------------------------
>
>                 Key: KNOX-2566
>                 URL: https://issues.apache.org/jira/browse/KNOX-2566
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 1.6.0
>            Reporter: Philip Zampino
>            Assignee: Philip Zampino
>            Priority: Major
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> For JWT tokens that have not been issued by Knox, but which Knox can verify, 
> the signature verification caching enhancement in the JWT providers 
> (KNOX-2544) throws a NPE because it's assuming that all JWTs have been issued 
> by Knox and have a Knox-token-specific claim.
> The providers should be able to handle these cases without throwing an 
> exception.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)