pac4j: fix incompatible dependencies + authorization regression #15753
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
thanks @Pankaj260100 , could we add a test for this to make sure we don't regress again? |
xvrl
reviewed
Jan 24, 2024
extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java
Outdated
Show resolved
Hide resolved
xvrl
reviewed
Jan 24, 2024
extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java
Outdated
Show resolved
Hide resolved
xvrl
reviewed
Jan 24, 2024
extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java
Outdated
Show resolved
Hide resolved
Pankaj260100
commented
Jan 25, 2024
| @@ -110,11 +110,11 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo | |||
| return profiles.iterator().next().getId(); | |||
| } | |||
| }, | |||
| NOOP_HTTP_ACTION_ADAPTER, | |||
| null, null, null, null); | |||
There was a problem hiding this comment.
Changed the Authorizer from null to "none". In the older version, if it is null, it simply returns authenticated and authorized -> grant access. But in the 4.5.7 pac4j version, it uses CsrfAuthorizer as default, And because of this, I was getting 403 in API calls. So, I have set it to "none".
Pankaj260100
commented
Jan 25, 2024
| @@ -48,11 +48,12 @@ public class Pac4jFilter implements Filter | |||
| { | |||
| private static final Logger LOGGER = new Logger(Pac4jFilter.class); | |||
|
|
|||
| private static final HttpActionAdapter<String, JEEContext> NOOP_HTTP_ACTION_ADAPTER = (HttpAction code, JEEContext ctx) -> null; | |||
| // JEE_HTTP_ACTION_ADAPTER updates the response in the context according to the HTTPAction. | |||
| private static final HttpActionAdapter<Object, JEEContext> JEE_HTTP_ACTION_ADAPTER = new JEEHttpActionAdapter(); | |||
There was a problem hiding this comment.
Earlier NOOP_HTTP_ACTION_ADAPTER was working fine because the response in the context was getting updated when generating HTTPAction. But now in 4.5.7 pac4j, it just simply returns the HTTPAction, and we need HTTPActionAdapter to update the context.
xvrl
reviewed
Jan 31, 2024
extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java
Show resolved
Hide resolved
xvrl
reviewed
Jan 31, 2024
extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java
Outdated
Show resolved
Hide resolved
xvrl
reviewed
Jan 31, 2024
extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java
Outdated
Show resolved
Hide resolved
xvrl
reviewed
Jan 31, 2024
xvrl
reviewed
Jan 31, 2024
xvrl
reviewed
Jan 31, 2024
extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java
Outdated
Show resolved
Hide resolved
xvrl
reviewed
Jan 31, 2024
Pankaj260100
changed the title
xvrl
approved these changes
Feb 1, 2024
xvrl
changed the title
Pankaj260100
added a commit
to confluentinc/druid
that referenced
this pull request
Feb 2, 2024
…he#15753) - After upgrading the pac4j version in: apache#15522. We were not able to access the druid ui. - Upgraded the Nimbus libraries version to a compatible version to pac4j. - In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL. - To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action.
10 tasks
pagrawal10
pushed a commit
to confluentinc/druid
that referenced
this pull request
Feb 6, 2024
* Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 (apache#15522) * Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage * pac4j: fix incompatible dependencies + authorization regression (apache#15753) - After upgrading the pac4j version in: apache#15522. We were not able to access the druid ui. - Upgraded the Nimbus libraries version to a compatible version to pac4j. - In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL. - To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action. --------- Co-authored-by: Keerthana Srikanth <ksrikanth@confluent.io>
LakshSingla
pushed a commit
to LakshSingla/druid
that referenced
this pull request
Feb 7, 2024
…he#15753) - After upgrading the pac4j version in: apache#15522. We were not able to access the druid ui. - Upgraded the Nimbus libraries version to a compatible version to pac4j. - In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL. - To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action.
cryptoe
pushed a commit
that referenced
this pull request
Feb 7, 2024
…) (#15851) - After upgrading the pac4j version in: #15522. We were not able to access the druid ui. - Upgraded the Nimbus libraries version to a compatible version to pac4j. - In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL. - To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action. Co-authored-by: PANKAJ KUMAR <87029331+Pankaj260100@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR has: