[
https://issues.apache.org/jira/browse/KNOX-21?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13772224#comment-13772224
]
Dilli Arumugam commented on KNOX-21:
------------------------------------
Reviewed Shiro docs, Shiro code, tested and traced Knox and Shiro code.
Findings:
As of today, if the client request sends the JSESSIONID back, Shiro would not
bind to ldap to reauthenticate. Shiro would use the Subject state cached in
Session.
Here is example using curl:
curl -L -i -v -k -u guest:guest-password -X GET
'https://localhost:8443/gateway/sample/namenode/api/v1/user/guest/tmp/test/input/hello.txt?op=OPEN'
localhost:mac101 darumugam$ curl -i -k -u guest:guest-password -X GET
'https://localhost:8443/gateway/sample/namenode/api/v1?op=GETHOMEDIRECTORY'
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=z96rbutlunvp1464oi2ep7x0x;Path=/gateway/sample;Secure
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sample; Max-Age=0; Expires=Wed,
18-Sep-2013 20:00:57 GMT
Cache-Control: no-cache
Expires: Thu, 01-Jan-1970 00:00:00 GMT
Date: Thu, 19 Sep 2013 20:00:57 GMT
Pragma: no-cache
Date: Thu, 19 Sep 2013 20:00:57 GMT
Pragma: no-cache
Server: Jetty(6.1.26)
Content-Type: application/json
Content-Length: 22
{"Path":"/user/guest"}
curl -i -k -b "JSESSIONID=z96rbutlunvp1464oi2ep7x0x" -X GET
'https://localhost:8443/gateway/sample/namenode/api/'1?op=GETHOMEDIRECTORY
HTTP/1.1 200 OK
Cache-Control: no-cache
Expires: Thu, 01-Jan-1970 00:00:00 GMT
Date: Thu, 19 Sep 2013 20:02:13 GMT
Pragma: no-cache
Date: Thu, 19 Sep 2013 20:02:13 GMT
Pragma: no-cache
Server: Jetty(6.1.26)
Content-Type: application/json
Content-Length: 22
{"Path":"/user/guest"}
> Utilize knox.auth cookie to prevent re-authentication for every request from
> end user
> -------------------------------------------------------------------------------------
>
> Key: KNOX-21
> URL: https://issues.apache.org/jira/browse/KNOX-21
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.2.0
> Reporter: Kevin Minder
> Assignee: Dilli Arumugam
> Fix For: 0.4.0
>
>
> From BUG-4300
> Currently the hadoop.auth cookie is not being used so each request results in
> a challenge for user credentials and then an authenticates (e.g. via LDAP).
> This is a potential performance issue. In addition the hadoop.auth cookie is
> being returned by the downstream services. We should determine if the gateway
> should always manufacture the cookie and send it to the downstream services
> instead of using the current pseudo auth mechanism.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
