Skip to content

RANGER-5533:Verify JWT Issuer Claims if present #901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pradeepagrawal8184 merged 5 commits into from
Apr 16, 2026
Merged

RANGER-5533:Verify JWT Issuer Claims if present #901

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c85fa10
RANGER-5533:Validating ISS claim in JWT
ChinmayHegde24 Mar 30, 2026
5dd1ce0
RANGER-5533: Refactor JWT issuer validation to support single-issuer …
ChinmayHegde24 Apr 8, 2026
ca45df4
RANGER-5533: Addressed review comments
ChinmayHegde24 Apr 9, 2026
13bb8db
RANGER-5533 : Unit test for RangerJwtAuthHandler
ChinmayHegde24 Apr 12, 2026
ddd267d
RANGER-5533: Removed redundant test case from TestRangerSSOAuthentica…
ChinmayHegde24 Apr 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 47 additions & 2 deletions ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,11 +52,13 @@ public abstract class RangerJwtAuthHandler implements RangerAuthHandler {
public static final String KEY_JWT_PUBLIC_KEY = "jwt.public-key"; // JWT token provider public key
public static final String KEY_JWT_COOKIE_NAME = "jwt.cookie-name"; // JWT cookie name
public static final String KEY_JWT_AUDIENCES = "jwt.audiences";
public static final String KEY_JWT_ISS = "jwt.issuers";
public static final String JWT_AUTHZ_PREFIX = "Bearer ";

protected static String cookieName = "hadoop-jwt";

protected List<String> audiences;
protected List<String> issuers;
protected JWKSource<SecurityContext> keySource;
private JWSVerifier verifier;
private String jwksProviderUrl;
Expand Down Expand Up @@ -99,6 +101,12 @@ public void initialize(final Properties config) throws Exception {
audiences = Arrays.asList(audiencesStr.split(","));
}

// setup issuers if configured
String issuersStr = config.getProperty(KEY_JWT_ISS);
if (StringUtils.isNotBlank(issuersStr)) {
issuers = Arrays.asList(issuersStr.split(","));
Comment thread
ChinmayHegde24 marked this conversation as resolved.
Outdated
}

if (LOG.isDebugEnabled()) {
LOG.debug("<<<=== RangerJwtAuthHandler.initialize()");
}
Expand Down Expand Up @@ -182,20 +190,25 @@ protected boolean validateToken(final SignedJWT jwtToken) {
boolean expValid = validateExpiration(jwtToken);
boolean sigValid = false;
boolean audValid = false;
boolean issValid = false;

if (expValid) {
sigValid = validateSignature(jwtToken);

if (sigValid) {
audValid = validateAudiences(jwtToken);

if (audValid) {
issValid = validateIssuer(jwtToken);
}
}
}

if (LOG.isDebugEnabled()) {
LOG.debug("expValid={}, sigValid={}, audValid={}", expValid, sigValid, audValid);
LOG.debug("expValid={}, sigValid={}, audValid={}, issValid={}", expValid, sigValid, audValid, issValid);
}

return sigValid && audValid && expValid;
return sigValid && audValid && expValid && issValid;
}

/**
Expand Down Expand Up @@ -290,6 +303,38 @@ protected boolean validateAudiences(final SignedJWT jwtToken) {
return valid;
}

/**
* Validate whether any of the accepted issuer claims is present in the issued
Comment thread
ChinmayHegde24 marked this conversation as resolved.
Outdated
* token claims list for issuer. Override this method in subclasses in order
* to customize the audience validation behavior.
*
* @param jwtToken the JWT token from which the JWT issuer will be obtained
* @return true if an expected issuer is present, otherwise false
*/
protected boolean validateIssuer(final SignedJWT jwtToken) {
Comment thread
ChinmayHegde24 marked this conversation as resolved.
boolean valid = false;
try {
String tokenIssuer = jwtToken.getJWTClaimsSet().getIssuer();
// if there were no expected issuers configured then just consider any issuer acceptable
if (issuers == null) {
valid = true;
} else {
// if any of the configured issuers is found then consider it acceptable
if (issuers.contains(tokenIssuer)) {
if (LOG.isDebugEnabled()) {
Comment thread
ChinmayHegde24 marked this conversation as resolved.
Outdated
LOG.debug("JWT token issuer has been successfully validated.");
}
valid = true;
} else {
LOG.warn("JWT issuer validation failed.");
}
}
} catch (ParseException pe) {
LOG.warn("Unable to parse the JWT token.", pe);
}
return valid;
}

/**
* Validate that the expiration time of the JWT has not been violated. If
* it has, then throw an AuthenticationException. Override this method in
Expand Down
1 change: 1 addition & 0 deletions security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerJwtAuthFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ public void initialize() {
config.setProperty(RangerJwtAuthHandler.KEY_JWT_PUBLIC_KEY, PropertiesUtil.getProperty(RangerSSOAuthenticationFilter.JWT_PUBLIC_KEY, ""));
config.setProperty(RangerJwtAuthHandler.KEY_JWT_COOKIE_NAME, PropertiesUtil.getProperty(RangerSSOAuthenticationFilter.JWT_COOKIE_NAME, RangerSSOAuthenticationFilter.JWT_COOKIE_NAME_DEFAULT));
config.setProperty(RangerJwtAuthHandler.KEY_JWT_AUDIENCES, PropertiesUtil.getProperty(RangerSSOAuthenticationFilter.JWT_AUDIENCES, ""));
config.setProperty(RangerJwtAuthHandler.KEY_JWT_ISS, PropertiesUtil.getProperty(RangerSSOAuthenticationFilter.JWT_ISSUERS, ""));

super.initialize(config);
} catch (Exception e) {
Expand Down
1 change: 1 addition & 0 deletions ...in/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ public class RangerSSOAuthenticationFilter implements Filter {
public static final String JWT_PUBLIC_KEY = "ranger.sso.publicKey";
public static final String JWT_COOKIE_NAME = "ranger.sso.cookiename";
public static final String JWT_AUDIENCES = "ranger.sso.audiences";
public static final String JWT_ISSUERS = "ranger.sso.issuers";
public static final String JWT_ORIGINAL_URL_QUERY_PARAM = "ranger.sso.query.param.originalurl";
public static final String JWT_COOKIE_NAME_DEFAULT = "hadoop-jwt";
public static final String JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT = "originalUrl";
Expand Down
5 changes: 5 additions & 0 deletions ...rc/test/java/org/apache/ranger/security/web/filter/TestRangerSSOAuthenticationFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -498,4 +498,9 @@ public void testDoFilter_ssoDisabled_locallogin_redirectsToLoginJsp() throws Exc
verify(res, times(1)).sendRedirect("/login.jsp");
verify(chain, times(0)).doFilter(any(ServletRequest.class), any(ServletResponse.class));
}

@Test
Comment thread
ChinmayHegde24 marked this conversation as resolved.
Outdated
void testJwtIssuersConstant() {
assertEquals("ranger.sso.issuers", RangerSSOAuthenticationFilter.JWT_ISSUERS);
}
}
Loading