From fc2897da1d27e5846ee5b6ad10ffb45ee65f0be5 Mon Sep 17 00:00:00 2001 From: Himanshu Date: Mon, 6 Apr 2020 11:55:55 -0700 Subject: [PATCH] pac4j: be noop if a previous authenticator in chain has successfully authenticated (#9620) --- .../java/org/apache/druid/security/pac4j/Pac4jFilter.java | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java index 7a9eff76b03..4463e43ca29 100644 --- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java +++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java @@ -79,6 +79,13 @@ public class Pac4jFilter implements Filter public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { + // If there's already an auth result, then we have authenticated already, skip this or else caller + // could get HTTP redirect even if one of the druid authenticators in chain has successfully authenticated. + if (servletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT) != null) { + filterChain.doFilter(servletRequest, servletResponse); + return; + } + HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest; HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse; J2EContext context = new J2EContext(httpServletRequest, httpServletResponse, sessionStore);