HADOOP-12481. JWTRedirectAuthenticationHandler doesn't Retain Original Query String. Contributed by Larry McCay.

(cherry picked from commit a121fa1d39)

hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java

@@ -233,10 +233,15 @@ protected String constructLoginURL(HttpServletRequest request) {
     }
     String loginURL = authenticationProviderUrl + delimiter
         + ORIGINAL_URL_QUERY_PARAM
-        + request.getRequestURL().toString();
+        + request.getRequestURL().toString() + getOriginalQueryString(request);
     return loginURL;
   }
 
+  private String getOriginalQueryString(HttpServletRequest request) {
+    String originalQueryString = request.getQueryString();
+    return (originalQueryString == null) ? "" : "?" + originalQueryString;
+  }
+
   /**
    * This method provides a single method for validating the JWT for use in
    * request processing. It provides for the override of specific aspects of

hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthentictionHandler.java

@@ -356,6 +356,40 @@ public void testValidJWT() throws Exception {
     }
   }
 
+  @Test
+  public void testOrigURLWithQueryString() throws Exception {
+    handler.setPublicKey(publicKey);
+
+    Properties props = getProperties();
+    handler.init(props);
+
+    HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+    Mockito.when(request.getRequestURL()).thenReturn(
+        new StringBuffer(SERVICE_URL));
+    Mockito.when(request.getQueryString()).thenReturn("name=value");
+
+    String loginURL = ((TestJWTRedirectAuthenticationHandler)handler).testConstructLoginURL(request);
+    Assert.assertNotNull("loginURL should not be null.", loginURL);
+    Assert.assertEquals("https://localhost:8443/authserver?originalUrl=" + SERVICE_URL + "?name=value", loginURL);
+  }
+
+  @Test
+  public void testOrigURLNoQueryString() throws Exception {
+    handler.setPublicKey(publicKey);
+
+    Properties props = getProperties();
+    handler.init(props);
+
+    HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+    Mockito.when(request.getRequestURL()).thenReturn(
+        new StringBuffer(SERVICE_URL));
+    Mockito.when(request.getQueryString()).thenReturn(null);
+
+    String loginURL = ((TestJWTRedirectAuthenticationHandler)handler).testConstructLoginURL(request);
+    Assert.assertNotNull("LoginURL should not be null.", loginURL);
+    Assert.assertEquals("https://localhost:8443/authserver?originalUrl=" + SERVICE_URL, loginURL);
+  }
+
   @Before
   public void setup() throws Exception, NoSuchAlgorithmException {
     setupKerberosRequirements();
@@ -367,7 +401,7 @@ public void setup() throws Exception, NoSuchAlgorithmException {
     publicKey = (RSAPublicKey) kp.getPublic();
     privateKey = (RSAPrivateKey) kp.getPrivate();
 
-    handler = new JWTRedirectAuthenticationHandler();
+    handler = new TestJWTRedirectAuthenticationHandler();
   }
 
   protected void setupKerberosRequirements() throws Exception {
@@ -415,4 +449,10 @@ protected SignedJWT getJWT(String sub, Date expires, RSAPrivateKey privateKey)
 
     return signedJWT;
   }
+
+  class TestJWTRedirectAuthenticationHandler extends JWTRedirectAuthenticationHandler {
+    public String testConstructLoginURL(HttpServletRequest req) {
+      return constructLoginURL(req);
+    }
+  };
 }

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -303,6 +303,9 @@ Release 2.8.0 - UNRELEASED
     HADOOP-10775. Shell operations to fail with meaningful errors on windows if
     winutils.exe not found. (stevel)
 
+    HADOOP-12481. JWTRedirectAuthenticationHandler doesn't Retain Original Query
+    String (Larry McCay via cnauroth)
+
   OPTIMIZATIONS
 
     HADOOP-11785. Reduce the number of listStatus operation in distcp