public void doFilter()

in gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java [194:272]

• 67 lines of code
• 17 McCabe index (conditional complexity)

  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
      throws IOException, ServletException {
    /* check for unauthenticated paths to bypass */
    if(AuthFilterUtils
        .doesRequestContainUnauthPath(unAuthenticatedPaths, request)) {
      continueWithAnonymousSubject(request, response, chain);
      return;
    }

    if (useCookie) {
      try {
        if (authenticateWithCookies((HttpServletRequest) request, (HttpServletResponse) response, chain)) {
          // if there was a valid cookie authentication was handled, there is no point in
          // going forward to check the JWT path in the header
          return;
        }
      } catch (NoValidCookiesException e) {
        log.missingValidCookie();
        handleValidationError((HttpServletRequest) request, (HttpServletResponse) response, HttpServletResponse.SC_UNAUTHORIZED,
            "There is no valid cookie found");
        return;
      }
    }

    Pair<TokenType, String> wireToken = null;
    try {
      wireToken = getWireToken(request);
    } catch (SecurityException e) {
      handleValidationError((HttpServletRequest) request, (HttpServletResponse) response, HttpServletResponse.SC_BAD_REQUEST, null);
      throw e;
    }

    if (wireToken != null && wireToken.getLeft() != null && wireToken.getRight() != null) {
      TokenType tokenType  = wireToken.getLeft();
      String    tokenValue = wireToken.getRight();

      if (TokenType.JWT.equals(tokenType)) {
        try {
          JWT token = new JWTToken(tokenValue);
          if (validateToken((HttpServletRequest) request, (HttpServletResponse) response, chain, token)) {
            Subject subject = createSubjectFromToken(token);
            continueWithEstablishedSecurityContext(subject, (HttpServletRequest) request, (HttpServletResponse) response, chain);
          }
        } catch (ParseException | UnknownTokenException ex) {
          ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
        }
      } else if (TokenType.Passcode.equals(tokenType)) {
        // Validate the token based on the server-managed metadata
        // The received token value must be a Base64 encoded value of Base64(tokenId)::Base64(rawPasscode)
        String tokenId = null;
        String passcode = null;
        boolean prechecks = true;
        try {
          final String[] base64DecodedTokenIdAndPasscode = decodeBase64(tokenValue).split("::");
          tokenId = decodeBase64(base64DecodedTokenIdAndPasscode[0]);
          passcode = decodeBase64(base64DecodedTokenIdAndPasscode[1]);
          // if this is a client credentials flow request then ensure the presented clientId is
          // the actual owner of the client_secret
          prechecks = validateClientCredentialsFlow((HttpServletRequest) request, (HttpServletResponse) response, tokenId);
        } catch (Exception e) {
          log.failedToParsePasscodeToken(e);
          handleValidationError((HttpServletRequest) request, (HttpServletResponse) response, HttpServletResponse.SC_UNAUTHORIZED,
              "Error while parsing the received passcode token");
        }
        if (prechecks && validateToken((HttpServletRequest) request, (HttpServletResponse) response, chain, tokenId, passcode)) {
          try {
            Subject subject = createSubjectFromTokenIdentifier(tokenId);
            continueWithEstablishedSecurityContext(subject, (HttpServletRequest) request, (HttpServletResponse) response, chain);
          } catch (UnknownTokenException e) {
            ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
          }
        }
      }
    } else {
      // no token provided in header
      log.missingTokenFromHeader(wireToken);
      ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
    }
  }