[ZEPPELIN-6266] Fix JWT expiration validation security vulnerability#5007
Merged
jongyoul merged 3 commits intoapache:masterfrom Aug 5, 2025
Merged
[ZEPPELIN-6266] Fix JWT expiration validation security vulnerability#5007jongyoul merged 3 commits intoapache:masterfrom
jongyoul merged 3 commits intoapache:masterfrom
Conversation
JWT tokens without expiration time were incorrectly accepted as valid, creating a security vulnerability. This change ensures that JWT tokens must have a valid expiration time to be accepted.
Reamer
requested changes
Aug 4, 2025
Contributor
Reamer
left a comment
Reamer
left a comment
There was a problem hiding this comment.
Looks good to me. Just a few minor things.
zeppelin-server/src/main/java/org/apache/zeppelin/realm/jwt/KnoxJwtRealm.java
Outdated
Show resolved
Hide resolved
zeppelin-server/src/test/java/org/apache/zeppelin/realm/jwt/KnoxJwtRealmTest.java
Outdated
Show resolved
Hide resolved
- Remove string concatenation - Insert a new line
Contributor
Author
I have applied the changes you suggested. I really appreciate you taking the time to review it so carefully. |
Contributor
Author
|
@Reamer I was wondering what the merge schedule for this PR after it's approved. |
jongyoul
pushed a commit
that referenced
this pull request
Aug 5, 2025
### What is this PR for? This PR fixes a critical security vulnerability in JWT token validation where tokens without expiration time were incorrectly accepted as valid, potentially allowing indefinite unauthorized access. The fix ensures all JWT tokens must have a valid expiration time and adds comprehensive unit tests to prevent regression. ### What type of PR is it? Bug Fix ### Todos * [x] - Fix JWT expiration validation logic to reject null expiration tokens * [x] - Add security warning logs for rejected tokens * [x] - Create comprehensive unit tests for JWT validation scenarios * [x] - Verify backwards compatibility with existing valid tokens ### What is the Jira issue? * [ZEPPELIN-6266](https://issues.apache.org/jira/browse/ZEPPELIN-6266) Fix JWT expiration validation security vulnerability ### How should this be tested? * **Automated Unit Tests Added**: - New test file: `KnoxJwtRealmTest.java` with 3 comprehensive test scenarios - Run: `mvn test -Dtest=KnoxJwtRealmTest -pl zeppelin-server` - All tests pass: `Tests run: 3, Failures: 0, Errors: 0, Skipped: 0` * **Manual Testing Steps**: 1. Create JWT token without expiration time → Should be rejected with security warning 2. Create JWT token with valid future expiration → Should be accepted 3. Create JWT token with past expiration → Should be rejected 4. Check server logs for security warnings: "JWT token has no expiration time - rejecting token for security" * **Security Validation**: - Verify that tokens without expiration are properly rejected - Confirm existing valid tokens continue to work - Check security event logging ### Screenshots (if appropriate) N/A - Security fix with no UI changes ### Questions: * **Does the license files need to update?** No - only modified existing files and added test files with standard Apache license headers * **Is there breaking changes for older versions?** No - fully backwards compatible. Only affects tokens with missing expiration (which should not exist in proper JWT implementations) * **Does this needs documentation?** No - internal security fix that doesn't change public APIs or configuration Closes #5007 from chadongmin/ZEPPELIN-6266. Signed-off-by: Jongyoul Lee <[email protected]> (cherry picked from commit 4bf5ab9) Signed-off-by: Jongyoul Lee <[email protected]>
jongyoul
changed the title
Member
|
I changed the title to ZEPPELIN-6266 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is this PR for?
This PR fixes a critical security vulnerability in JWT token validation where tokens without expiration time were incorrectly accepted as valid, potentially allowing indefinite unauthorized access. The
fix ensures all JWT tokens must have a valid expiration time and adds comprehensive unit tests to prevent regression.
What type of PR is it?
Bug Fix
Todos
What is the Jira issue?
How should this be tested?
Automated Unit Tests Added:
KnoxJwtRealmTest.javawith 3 comprehensive test scenariosmvn test -Dtest=KnoxJwtRealmTest -pl zeppelin-serverTests run: 3, Failures: 0, Errors: 0, Skipped: 0Manual Testing Steps:
Security Validation:
Screenshots (if appropriate)
N/A - Security fix with no UI changes
Questions: