fix: Treat empty string in hadoop.auth cookie as no cookie#19520
Open
rzepinskip wants to merge 2 commits into
Open
fix: Treat empty string in hadoop.auth cookie as no cookie#19520rzepinskip wants to merge 2 commits into
rzepinskip wants to merge 2 commits into
Conversation
rzepinskip
force-pushed
the
druid-kerberos-empty_cookie
branch
from
d9218d1 to
b997727
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Member
FrankChen021
left a comment
FrankChen021
left a comment
There was a problem hiding this comment.
I have reviewed the code for correctness, edge cases, concurrency, and integration risks; no issues found.
Reviewed 3 of 3 changed files.
This is an automated review by Codex GPT-5.5
Member
FrankChen021
left a comment
FrankChen021
left a comment
There was a problem hiding this comment.
I have reviewed the code for correctness, edge cases, concurrency, and integration risks; no issues found.
Reviewed 3 of 3 changed files.
This is an automated review by Codex GPT-5.5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR fixes a bug (#19519) in the
druid-kerberosextension where an expired or empty Kerberos authentication cookie would short-circuit the entire authenticator chain, resulting in a persistent HTTP 403 error and preventing other authenticators (like LDAP) from handling the request.Fixed Kerberos authentication chain short-circuit
When a Kerberos session expires, the browser may be left with an empty
hadoop.authcookie. Previously,KerberosAuthenticatorwould attempt to verify this empty cookie, causing aSignerExceptionthat blocked the rest of the authenticator chain.Key fixes:
Max-Age=0to theSet-Cookieheader when clearing thehadoop.authcookie. Previously, the browser would treat the empty-value cookie as a session cookie rather than deleting it.getToken()to explicitly check for empty cookie values. Empty cookies are now treated as "no cookie present," allowing the request to proceed to the next authenticator in the chain instead of throwing a 403 error.Code quality and test fixes
mockito-coredependency todruid-kerberosto resolve test compilation errors.isEmpty().!=) forAuthenticationToken.ANONYMOUSwith.equals().@Nullableannotations to standard override methods.final.Release note
Fixed a bug in
druid-kerberoswhere an expired authentication cookie could prevent other authenticators in the chain from working, causing a persistent 403 error.Key changed/added classes in this PR
KerberosAuthenticatorKerberosAuthenticatorTestpom.xml(druid-kerberos)This PR has: