seg_yinzy
/
che-server
mirror of https://github.com/eclipse-che/che-server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add processing of runtime exceptions during JWT tokens validation (#9557) 

* Add processing of runtime exceptions during JWT tokens validation

It is needed to set correct 403 response code instead of 500.
Also added response message to notify a client about error reason.
6.19.x
Sergii Leshchenko 2018-05-02 15:18:34 +03:00 committed by GitHub
parent 8c3d2ead36
commit da69099743
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
multiuser/api/che-multiuser-api-remote-subscription/src/main/java/org/eclipse/che/multiuser/api/subscription/DistributedRemoteSubscriptionStorage.java
View File

@ -81,8 +81,7 @@ public class DistributedRemoteSubscriptionStorage implements RemoteSubscriptionS
Lock lock = lockService.getLock(method);
lock.lock();
try {
Set<RemoteSubscriptionContext> existing =
subscriptions.get(method);
Set<RemoteSubscriptionContext> existing = subscriptions.get(method);
if (existing == null) {
return;
}

25
multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakAuthenticationFilter.java
View File

@ -16,12 +16,15 @@ import com.auth0.jwk.JwkException;
import com.auth0.jwk.JwkProvider;
import com.auth0.jwk.UrlJwkProvider;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.SignatureException;
import io.jsonwebtoken.SigningKeyResolverAdapter;
import io.jsonwebtoken.UnsupportedJwtException;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
@ -75,10 +78,8 @@ public class KeycloakAuthenticationFilter extends AbstractKeycloakFilter {
return;
}
final String requestURI = request.getRequestURI();
if (token == null) {
LOG.debug("No 'Authorization' header for {}", requestURI);
send403(res);
send403(res, "Authorization token is missed");
return;
}
@ -104,12 +105,17 @@ public class KeycloakAuthenticationFilter extends AbstractKeycloakFilter {
.parseClaimsJws(token);
LOG.debug("JWT = ", jwt);
// OK, we can trust this JWT
} catch (SignatureException | IllegalArgumentException e) {
// don't trust the JWT!
LOG.error("Failed verifying the JWT token", e);
send403(res);
} catch (SignatureException
| IllegalArgumentException
| MalformedJwtException
| UnsupportedJwtException e) {
send403(res, "The specified token is not a valid. " + e.getMessage());
return;
} catch (ExpiredJwtException e) {
send403(res, "The specified token is expired");
return;
}
request.setAttribute("token", jwt);
chain.doFilter(req, res);
}
@ -138,8 +144,9 @@ public class KeycloakAuthenticationFilter extends AbstractKeycloakFilter {
return jwk.getPublicKey();
}
private void send403(ServletResponse res) throws IOException {
private void send403(ServletResponse res, String message) throws IOException {
HttpServletResponse response = (HttpServletResponse) res;
response.sendError(403);
response.getOutputStream().write(message.getBytes());
response.setStatus(403);
}
}