Repository: knox Updated Branches: refs/heads/master 51194fbbe -> 7819df638
KNOX-693 - KnoxSSO Token Expiration should be Optional Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/7819df63 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/7819df63 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/7819df63 Branch: refs/heads/master Commit: 7819df6387a0726acae01f8f6942c7331d4a5420 Parents: 51194fb Author: Larry McCay <lmc...@hortonworks.com> Authored: Wed Mar 16 13:51:06 2016 -0400 Committer: Larry McCay <lmc...@hortonworks.com> Committed: Wed Mar 16 13:51:06 2016 -0400 ---------------------------------------------------------------------- .../jwt/filter/SSOCookieFederationFilter.java | 5 +++- .../impl/DefaultTokenAuthorityService.java | 2 +- .../gateway/service/knoxsso/WebSSOResource.java | 13 ++++++++- .../token/impl/JWTProviderMessages.java | 13 +++++++++ .../services/security/token/impl/JWTToken.java | 30 ++++++++++---------- 5 files changed, 45 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java index 297e549..6286655 100644 --- a/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java +++ b/gateway-provider-security-jwt/src/main/java/org/apache/hadoop/gateway/provider/federation/jwt/filter/SSOCookieFederationFilter.java @@ -136,7 +136,10 @@ public class SSOCookieFederationFilter implements Filter { verified = authority.verifyToken(token); if (verified) { Date expires = token.getExpiresDate(); - if (expires != null && new Date().before(expires)) { + // if there is no expiration data then the lifecycle is tied entirely to + // the cookie validity - otherwise ensure that the current time is before + // the designated expiration time + if (expires == null || expires != null && new Date().before(expires)) { boolean audValid = validateAudiences(token); if (audValid) { Subject subject = createSubjectFromToken(token); http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java ---------------------------------------------------------------------- diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java index bd54956..368baff 100644 --- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java +++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/token/impl/DefaultTokenAuthorityService.java @@ -111,7 +111,7 @@ public class DefaultTokenAuthorityService implements JWTokenAuthority, Service { claimArray[1] = p.getName(); claimArray[2] = null; if (expires == -1) { - claimArray[3] = Long.toString( ( System.currentTimeMillis() ) + 30000); + claimArray[3] = null; } else { claimArray[3] = String.valueOf(expires); http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java ---------------------------------------------------------------------- diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java index 1daa514..a56091e 100644 --- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java +++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java @@ -166,7 +166,7 @@ public class WebSSOResource { Principal p = ((HttpServletRequest)request).getUserPrincipal(); try { - JWT token = ts.issueToken(p, "RS256", System.currentTimeMillis() + tokenTTL); + JWT token = ts.issueToken(p, "RS256", getExpiry()); // Coverity CID 1327959 if( token != null ) { addJWTHadoopCookie( original, token ); @@ -208,6 +208,17 @@ public class WebSSOResource { return Response.seeOther(location).entity("{ \"redirectTo\" : " + original + " }").build(); } + private long getExpiry() { + long expiry = 0l; + if (tokenTTL == -1) { + expiry = -1; + } + else { + expiry = System.currentTimeMillis() + tokenTTL; + } + return expiry; + } + private void addJWTHadoopCookie(String original, JWT token) { log.addingJWTCookie(token.toString()); Cookie c = new Cookie(JWT_COOKIE_NAME, token.toString()); http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java index 1b0b1ee..cf3566c 100644 --- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java +++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTProviderMessages.java @@ -17,11 +17,15 @@ */ package org.apache.hadoop.gateway.services.security.token.impl; +import java.text.ParseException; + import org.apache.hadoop.gateway.i18n.messages.Message; import org.apache.hadoop.gateway.i18n.messages.MessageLevel; import org.apache.hadoop.gateway.i18n.messages.Messages; import org.apache.hadoop.gateway.i18n.messages.StackTrace; +import com.nimbusds.jose.JOSEException; + /** * */ @@ -45,4 +49,13 @@ public interface JWTProviderMessages { @Message( level = MessageLevel.FATAL, text = "Unsupported encoding: {0}" ) void unsupportedEncoding( @StackTrace( level = MessageLevel.DEBUG ) Exception e ); + + @Message( level = MessageLevel.ERROR, text = "Unable to parse JWT token: {0}" ) + void unableToParseToken(ParseException e); + + @Message( level = MessageLevel.ERROR, text = "Unable to sign JWT token: {0}" ) + void unableToSignToken(JOSEException e); + + @Message( level = MessageLevel.ERROR, text = "Unable to verify JWT token: {0}" ) + void unableToVerifyToken(JOSEException e); } http://git-wip-us.apache.org/repos/asf/knox/blob/7819df63/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java ---------------------------------------------------------------------- diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java index 4b1e2b0..e0090c7 100644 --- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java +++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/services/security/token/impl/JWTToken.java @@ -53,7 +53,7 @@ public class JWTToken implements JWT { try { jwt = SignedJWT.parse(serializedJWT); } catch (ParseException e) { - e.printStackTrace(); + log.unableToParseToken(e); } } @@ -70,12 +70,16 @@ public class JWTToken implements JWT { } audiences.add(claimsArray[2]); } - JWTClaimsSet claims = new JWTClaimsSet.Builder() + JWTClaimsSet claims = null; + JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder() .issuer(claimsArray[0]) .subject(claimsArray[1]) - .audience(audiences) - .expirationTime(new Date(Long.parseLong(claimsArray[3]))) - .build(); + .audience(audiences); + if(claimsArray[3] != null) { + builder = builder.expirationTime(new Date(Long.parseLong(claimsArray[3]))); + } + + claims = builder.build(); jwt = new SignedJWT(header, claims); } @@ -100,7 +104,7 @@ public class JWTToken implements JWT { claims = (JWTClaimsSet) jwt.getJWTClaimsSet(); c = claims.toJSONObject().toJSONString(); } catch (ParseException e) { - e.printStackTrace(); + log.unableToParseToken(e); } return c; } @@ -160,8 +164,7 @@ public class JWTToken implements JWT { try { claim = jwt.getJWTClaimsSet().getStringClaim(claimName); } catch (ParseException e) { - // TODO Auto-generated catch block - e.printStackTrace(); + log.unableToParseToken(e); } return claim; @@ -209,8 +212,7 @@ public class JWTToken implements JWT { try { claims = jwt.getJWTClaimsSet().getStringArrayClaim(JWT.AUDIENCE); } catch (ParseException e) { - // TODO Auto-generated catch block - e.printStackTrace(); + log.unableToParseToken(e); } return claims; @@ -230,8 +232,7 @@ public class JWTToken implements JWT { try { date = jwt.getJWTClaimsSet().getExpirationTime(); } catch (ParseException e) { - // TODO Auto-generated catch block - e.printStackTrace(); + log.unableToParseToken(e); } return date; } @@ -253,8 +254,7 @@ public class JWTToken implements JWT { try { jwt.sign(signer); } catch (JOSEException e) { - // TODO Auto-generated catch block - e.printStackTrace(); + log.unableToSignToken(e); } } @@ -269,7 +269,7 @@ public class JWTToken implements JWT { rc = jwt.verify(verifier); } catch (JOSEException e) { // TODO Auto-generated catch block - e.printStackTrace(); + log.unableToVerifyToken(e); } return rc;