[ZEPPELIN-6626] Fix JWT expiration validation security vulnerability

chadongmin · web-flow · commit 4bf5ab99d32b · 2025-08-05T19:28:58.000+09:00
### What is this PR for? This PR fixes a critical security vulnerability in JWT token validation where tokens without expiration time were incorrectly accepted as valid, potentially allowing indefinite unauthorized access. The fix ensures all JWT tokens must have a valid expiration time and adds comprehensive unit tests to prevent regression. ### What type of PR is it? Bug Fix ### Todos * [x] - Fix JWT expiration validation logic to reject null expiration tokens * [x] - Add security warning logs for rejected tokens * [x] - Create comprehensive unit tests for JWT validation scenarios * [x] - Verify backwards compatibility with existing valid tokens ### What is the Jira issue? * [ZEPPELIN-6266](https://issues.apache.org/jira/browse/ZEPPELIN-6266) Fix JWT expiration validation security vulnerability ### How should this be tested? * **Automated Unit Tests Added**: - New test file: `KnoxJwtRealmTest.java` with 3 comprehensive test scenarios - Run: `mvn test -Dtest=KnoxJwtRealmTest -pl zeppelin-server` - All tests pass: `Tests run: 3, Failures: 0, Errors: 0, Skipped: 0` * **Manual Testing Steps**: 1. Create JWT token without expiration time → Should be rejected with security warning 2. Create JWT token with valid future expiration → Should be accepted 3. Create JWT token with past expiration → Should be rejected 4. Check server logs for security warnings: "JWT token has no expiration time - rejecting token for security" * **Security Validation**: - Verify that tokens without expiration are properly rejected - Confirm existing valid tokens continue to work - Check security event logging ### Screenshots (if appropriate) N/A - Security fix with no UI changes ### Questions: * **Does the license files need to update?** No - only modified existing files and added test files with standard Apache license headers * **Is there breaking changes for older versions?** No - fully backwards compatible. Only affects tokens with missing expiration (which should not exist in proper JWT implementations) * **Does this needs documentation?** No - internal security fix that doesn't change public APIs or configuration Closes #5007 from chadongmin/ZEPPELIN-6266. Signed-off-by: Jongyoul Lee <jongyoul@gmail.com>
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/realm/jwt/KnoxJwtRealm.java b/zeppelin-server/src/main/java/org/apache/zeppelin/realm/jwt/KnoxJwtRealm.java
@@ -192,10 +192,12 @@ protected boolean validateExpiration(SignedJWT jwtToken) {
     boolean valid = false;
     try {
       Date expires = jwtToken.getJWTClaimsSet().getExpirationTime();
-      if (expires == null || new Date().before(expires)) {
-        if (LOGGER.isDebugEnabled()) {
-          LOGGER.debug("SSO token expiration date has been " + "successfully validated");
-        }
+      if (expires == null) {
+        LOGGER.warn("JWT token has no expiration time - rejecting token for security");
+        return false;
+      }
+      if (new Date().before(expires)) {
+        LOGGER.debug("SSO token expiration date has been successfully validated");
         valid = true;
       } else {
         LOGGER.warn("SSO expiration date validation failed.");
diff --git a/zeppelin-server/src/test/java/org/apache/zeppelin/realm/jwt/KnoxJwtRealmTest.java b/zeppelin-server/src/test/java/org/apache/zeppelin/realm/jwt/KnoxJwtRealmTest.java
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.zeppelin.realm.jwt;
+
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSSigner;
+import com.nimbusds.jose.crypto.RSASSASigner;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import java.util.Date;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+public class KnoxJwtRealmTest {
+
+  private KnoxJwtRealm knoxJwtRealm;
+
+  @BeforeEach
+  void setUp() throws Exception {
+    knoxJwtRealm = new KnoxJwtRealm();
+  }
+
+  private SignedJWT createJWT(String subject, Date expiration) throws Exception {
+    JWTClaimsSet.Builder claimsBuilder = new JWTClaimsSet.Builder()
+        .subject(subject)
+        .issuer("KNOXSSO")
+        .issueTime(new Date());
+    
+    if (expiration != null) {
+      claimsBuilder.expirationTime(expiration);
+    }
+    
+    JWTClaimsSet claimsSet = claimsBuilder.build();
+    SignedJWT signedJWT = new SignedJWT(
+        new JWSHeader.Builder(JWSAlgorithm.RS256).build(),
+        claimsSet
+    );
+
+    // Note: We don't sign the JWT for these tests as we're only testing expiration validation
+    return signedJWT;
+  }
+
+  @Test
+  void testValidateExpiration_WithNullExpiration_ShouldReturnFalse() throws Exception {
+    // Given: JWT token without expiration time
+    SignedJWT jwtWithoutExpiration = createJWT("testuser", null);
+    
+    // When: validating expiration
+    boolean result = knoxJwtRealm.validateExpiration(jwtWithoutExpiration);
+    
+    // Then: should return false
+    assertFalse(result, "JWT token without expiration time should be rejected");
+  }
+
+  @Test
+  void testValidateExpiration_WithValidFutureExpiration_ShouldReturnTrue() throws Exception {
+    // Given: JWT token with future expiration
+    Date futureDate = new Date(System.currentTimeMillis() + 3600000); // 1 hour from now
+    SignedJWT jwtWithValidExpiration = createJWT("testuser", futureDate);
+    
+    // When: validating expiration
+    boolean result = knoxJwtRealm.validateExpiration(jwtWithValidExpiration);
+    
+    // Then: should return true
+    assertTrue(result, "JWT token with valid future expiration should be accepted");
+  }
+
+  @Test
+  void testValidateExpiration_WithPastExpiration_ShouldReturnFalse() throws Exception {
+    // Given: JWT token with past expiration
+    Date pastDate = new Date(System.currentTimeMillis() - 3600000); // 1 hour ago
+    SignedJWT jwtWithPastExpiration = createJWT("testuser", pastDate);
+    
+    // When: validating expiration
+    boolean result = knoxJwtRealm.validateExpiration(jwtWithPastExpiration);
+    
+    // Then: should return false
+    assertFalse(result, "JWT token with past expiration should be rejected");
+  }
+
+  // Note: Full token validation tests are omitted as they require complex setup
+  // including certificate files and signature validation. The core expiration 
+  // validation logic is tested above through direct method calls.
+}
