Hi Larry, I truly want to set the ‘Authorization’ header, so disregard the ‘AUTH_HEADER’ mention below.
I think I see the issue. It appears that it is DefaultDispatch which is preventing this from working. AbstractGatewayDispatch has a list of exclude headers and ‘Authorization’ is in that list. This is preventing my HttpServletRequestWrapper from injecting the ‘ Authorization’ header value I would like. Link to relevant code base: https://github.com/apache/knox/blob/92e2ec59a5940a9e7c67ec5cd29044f811dee40a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/AbstractGatewayDispatch.java#L133 <https://github.com/apache/knox/blob/92e2ec59a5940a9e7c67ec5cd29044f811dee40a/gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/AbstractGatewayDispatch.java#L133> Still looking for suggestions on how I may be able to achieve this, any thoughts? Regards, Christopher Jackson > On Feb 26, 2018, at 8:12 PM, larry mccay <[email protected]> wrote: > > Hi Christopher - > > That sounds very strange is the AUTH_HEADER a standard header that I am > unaware of? > I will try and reproduce this. > > thanks, > > --larry > > On Mon, Feb 26, 2018 at 5:48 PM, Christopher Jackson > <[email protected] > <mailto:[email protected]>> wrote: > Hi All, > > I have some questions around the Knox SSO provider. > > I have configured my Knox instance for Knox SSO and everything seems to be > working. I’m observing the following: > > - I make a request to a service behind the gateway > - I get redirected to the Knox SSO form based login page. > - I provide my credentials and click Sign In. > - I am successfully authenticated and a cookie named hadoop-jwt is created. > - I get redirected to my originally requested URL. > > I have also configured my Knox instance with a custom provider which uses a > HttpServletRequestWrapper to override the getHeaderName and getHeader > methods. “AUTH_HEADER” is added to the getHeaderNames enumeration. When > getHeader is called for “AUTH_HEADER” it returns a value of “Bearer > <jwt_serialized_string>”. I get the JWT serialized string by reading the > hadoop-jwt cookie. > > Why am I doing this? This is necessary for the authentication mechanism in > the container (WebSphere Liberty Profile (WLP)) serving our web application > to consume the Knox issued JWT. > > The problem I am having is that it seems a later filter (I believe > DefaultDispatch) in the chain is over writing the value of the header. As the > final request that is made to the original requested URL has an > “Authorization” header of the basic64 encoded username and password > combination that I provided to the Knox SSO form based login page. > > Unfortunately WLP does not currently allow me to configure reading the JWT > from a cookie. So I need to handle it in Knox before the request is made to > WLP. > > Any suggestions on what I may try to overcome this issue? > > Regards, > Christopher Jackson >
