KNOX-2651 - NPE when token value is missing (apache#487)

gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/JWTMessages.java

@@ -16,10 +16,12 @@
  */
 package org.apache.knox.gateway.provider.federation.jwt;
 
+import org.apache.commons.lang3.tuple.Pair;
 import org.apache.knox.gateway.i18n.messages.Message;
 import org.apache.knox.gateway.i18n.messages.MessageLevel;
 import org.apache.knox.gateway.i18n.messages.Messages;
 import org.apache.knox.gateway.i18n.messages.StackTrace;
+import org.apache.knox.gateway.provider.federation.jwt.filter.JWTFederationFilter;
 
 @Messages(logger="org.apache.knox.gateway.provider.federation.jwt")
 public interface JWTMessages {
@@ -87,4 +89,7 @@ public interface JWTMessages {
 
   @Message( level = MessageLevel.ERROR, text = "Token is disabled: {0}" )
   void disabledToken(String tokenId);
+
+  @Message( level = MessageLevel.INFO, text = "Missing token: {0}")
+  void missingTokenFromHeader(Pair<JWTFederationFilter.TokenType, String> wireToken);
 }

gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java

@@ -126,7 +126,7 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
     }
     final Pair<TokenType, String> wireToken = getWireToken(request);
 
-    if (wireToken != null) {
+    if (wireToken != null && wireToken.getLeft() != null && wireToken.getRight() != null) {
       TokenType tokenType  = wireToken.getLeft();
       String    tokenValue = wireToken.getRight();
 
@@ -166,6 +166,7 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
       }
     } else {
       // no token provided in header
+      log.missingTokenFromHeader(wireToken);
       ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
     }
   }

gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/JWTFederationFilterTest.java

@@ -20,8 +20,10 @@
 import com.nimbusds.jwt.SignedJWT;
 import org.easymock.EasyMock;
 import org.junit.Before;
+import org.junit.Test;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 @SuppressWarnings("PMD.TestClassWithoutTestCases")
 public class JWTFederationFilterTest extends AbstractJWTFilterTest {
@@ -52,4 +54,22 @@ protected void setGarbledTokenOnRequest(HttpServletRequest request, SignedJWT jw
     String token = TestJWTFederationFilter.BEARER + " ljm" + jwt.serialize();
     EasyMock.expect(request.getHeader("Authorization")).andReturn(token);
   }
+
+  @Test
+  public void testMissingTokenValue() throws Exception {
+    handler.init(new TestFilterConfig(getProperties()));
+
+    HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+    EasyMock.expect(request.getRequestURL()).andReturn(new StringBuffer(SERVICE_URL)).anyTimes();
+    EasyMock.expect(request.getHeader("Authorization")).andReturn("Basic VG9rZW46");
+    HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
+    response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+    EasyMock.expectLastCall().once();
+    EasyMock.replay(request, response);
+
+    TestFilterChain chain = new TestFilterChain();
+    handler.doFilter(request, response, chain);
+
+    EasyMock.verify(response);
+  }
 }