diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java index f7305d0282..b37f39a50c 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java @@ -331,7 +331,14 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha HttpServletResponse httpResponse = (HttpServletResponse) response; try { boolean newToken = false; - AuthenticationToken token = getToken(httpRequest); + AuthenticationToken token; + try { + token = getToken(httpRequest); + } + catch (AuthenticationException ex) { + LOG.warn("AuthenticationToken ignored: " + ex.getMessage()); + token = null; + } if (token == null) { if (LOG.isDebugEnabled()) { LOG.debug("Request [{}] triggering authentication", getRequestURL(httpRequest)); @@ -371,6 +378,9 @@ public Principal getUserPrincipal() { } filterChain.doFilter(httpRequest, httpResponse); } + else { + throw new AuthenticationException("Missing AuthenticationToken"); + } } catch (AuthenticationException ex) { if (!httpResponse.isCommitted()) { Cookie cookie = createCookie(""); diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java index 43687493b4..4f1bc111a7 100644 --- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java +++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java @@ -349,7 +349,7 @@ public Object answer(InvocationOnMock invocation) throws Throwable { } } - private void _testDoFilterAuthentication(boolean withDomainPath) throws Exception { + private void _testDoFilterAuthentication(boolean withDomainPath, boolean invalidToken) throws Exception { AuthenticationFilter filter = new AuthenticationFilter(); try { FilterConfig config = Mockito.mock(FilterConfig.class); @@ -380,6 +380,12 @@ private void _testDoFilterAuthentication(boolean withDomainPath) throws Exceptio Mockito.when(request.getRequestURL()).thenReturn(new StringBuffer("http://foo:8080/bar")); Mockito.when(request.getQueryString()).thenReturn("authenticated=true"); + if (invalidToken) { + Mockito.when(request.getCookies()).thenReturn( + new Cookie[] { new Cookie(AuthenticatedURL.AUTH_COOKIE, "foo")} + ); + } + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); FilterChain chain = Mockito.mock(FilterChain.class); @@ -437,11 +443,15 @@ public Object answer(InvocationOnMock invocation) throws Throwable { } public void testDoFilterAuthentication() throws Exception { - _testDoFilterAuthentication(false); + _testDoFilterAuthentication(false, false); + } + + public void testDoFilterAuthenticationWithInvalidToken() throws Exception { + _testDoFilterAuthentication(false, true); } public void testDoFilterAuthenticationWithDomainPath() throws Exception { - _testDoFilterAuthentication(true); + _testDoFilterAuthentication(true, false); } public void testDoFilterAuthenticated() throws Exception { diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index bfb3f653a3..2b55e4c14d 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -332,6 +332,9 @@ Release 2.0.0 - UNRELEASED HADOOP-8251. Fix SecurityUtil.fetchServiceTicket after HADOOP-6941 (todd) + HADOOP-8249. invalid hadoop-auth cookies should trigger authentication + if info is avail before returning HTTP 401 (tucu) + BREAKDOWN OF HADOOP-7454 SUBTASKS HADOOP-7455. HA: Introduce HA Service Protocol Interface. (suresh)