From 6774a1732a62fa7bc14769b7ad182146b39f1bf3 Mon Sep 17 00:00:00 2001
From: cnauroth <cnauroth@apache.org>
Date: Thu, 15 Oct 2015 16:44:59 -0700
Subject: [PATCH] HADOOP-12481. JWTRedirectAuthenticationHandler doesn't Retain
 Original Query String. Contributed by Larry McCay.

(cherry picked from commit a121fa1d39b2eb129bcc0e786d0d24c9ec0cdefc)
---
 .../JWTRedirectAuthenticationHandler.java     |  7 +++-
 .../TestJWTRedirectAuthentictionHandler.java  | 42 ++++++++++++++++++-
 .../hadoop-common/CHANGES.txt                 |  3 ++
 3 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java
index abbf37949c3..cbe923be8eb 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java
@@ -233,10 +233,15 @@ public class JWTRedirectAuthenticationHandler extends
     }
     String loginURL = authenticationProviderUrl + delimiter
         + ORIGINAL_URL_QUERY_PARAM
-        + request.getRequestURL().toString();
+        + request.getRequestURL().toString() + getOriginalQueryString(request);
     return loginURL;
   }
 
+  private String getOriginalQueryString(HttpServletRequest request) {
+    String originalQueryString = request.getQueryString();
+    return (originalQueryString == null) ? "" : "?" + originalQueryString;
+  }
+
   /**
    * This method provides a single method for validating the JWT for use in
    * request processing. It provides for the override of specific aspects of
diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthentictionHandler.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthentictionHandler.java
index 4ac95354de5..019ecb416ce 100644
--- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthentictionHandler.java
+++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthentictionHandler.java
@@ -356,6 +356,40 @@ public class TestJWTRedirectAuthentictionHandler extends
     }
   }
 
+  @Test
+  public void testOrigURLWithQueryString() throws Exception {
+    handler.setPublicKey(publicKey);
+
+    Properties props = getProperties();
+    handler.init(props);
+
+    HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+    Mockito.when(request.getRequestURL()).thenReturn(
+        new StringBuffer(SERVICE_URL));
+    Mockito.when(request.getQueryString()).thenReturn("name=value");
+
+    String loginURL = ((TestJWTRedirectAuthenticationHandler)handler).testConstructLoginURL(request);
+    Assert.assertNotNull("loginURL should not be null.", loginURL);
+    Assert.assertEquals("https://localhost:8443/authserver?originalUrl=" + SERVICE_URL + "?name=value", loginURL);
+  }
+
+  @Test
+  public void testOrigURLNoQueryString() throws Exception {
+    handler.setPublicKey(publicKey);
+
+    Properties props = getProperties();
+    handler.init(props);
+
+    HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+    Mockito.when(request.getRequestURL()).thenReturn(
+        new StringBuffer(SERVICE_URL));
+    Mockito.when(request.getQueryString()).thenReturn(null);
+
+    String loginURL = ((TestJWTRedirectAuthenticationHandler)handler).testConstructLoginURL(request);
+    Assert.assertNotNull("LoginURL should not be null.", loginURL);
+    Assert.assertEquals("https://localhost:8443/authserver?originalUrl=" + SERVICE_URL, loginURL);
+  }
+
   @Before
   public void setup() throws Exception, NoSuchAlgorithmException {
     setupKerberosRequirements();
@@ -367,7 +401,7 @@ public class TestJWTRedirectAuthentictionHandler extends
     publicKey = (RSAPublicKey) kp.getPublic();
     privateKey = (RSAPrivateKey) kp.getPrivate();
 
-    handler = new JWTRedirectAuthenticationHandler();
+    handler = new TestJWTRedirectAuthenticationHandler();
   }
 
   protected void setupKerberosRequirements() throws Exception {
@@ -415,4 +449,10 @@ public class TestJWTRedirectAuthentictionHandler extends
 
     return signedJWT;
   }
+
+  class TestJWTRedirectAuthenticationHandler extends JWTRedirectAuthenticationHandler {
+    public String testConstructLoginURL(HttpServletRequest req) {
+      return constructLoginURL(req);
+    }
+  };
 }
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 7bc04ffb20c..3b245a1aa95 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -303,6 +303,9 @@ Release 2.8.0 - UNRELEASED
     HADOOP-10775. Shell operations to fail with meaningful errors on windows if
     winutils.exe not found. (stevel)
 
+    HADOOP-12481. JWTRedirectAuthenticationHandler doesn't Retain Original Query
+    String (Larry McCay via cnauroth)
+
   OPTIMIZATIONS
 
     HADOOP-11785. Reduce the number of listStatus operation in distcp