Skip to content

RANGER-5693: Stop logging full JWT bearer tokens on validation failure#1081

Open
ramackri wants to merge 2 commits into
apache:masterfrom
ramackri:RANGER-5693-patch
Open

RANGER-5693: Stop logging full JWT bearer tokens on validation failure#1081
ramackri wants to merge 2 commits into
apache:masterfrom
ramackri:RANGER-5693-patch

Conversation

@ramackri

@ramackri ramackri commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Remove logging of the full serialized JWT bearer token (header.payload.signature) when RangerJwtAuthHandler validation fails.
  • Log only non-sensitive metadata: subject, audience, issuer, keyId, jwtId.

JIRA: https://issues.apache.org/jira/browse/RANGER-5693

Problem

On validation failure, RangerJwtAuthHandler.authenticate() logged:

RangerJwtAuthHandler.authenticate(): Validation failed for JWT token: [<full serialized JWT>]

validateToken() checks claims in order: expiration → signature → audience → issuer. A cryptographically valid, unexpired token rejected only for audience mismatch still hit this WARN path. The full bearer credential in logs could be replayed against another Ranger JWT consumer that trusts the same signing material and accepts the token's audience.

Fix

Before:

LOG.warn("... Validation failed for JWT token: [{}] ", jwtToken.serialize());

After:

LOG.warn("JWT validation failed ({})", safeJwtLogContext(jwtToken));

safeJwtLogContext() emits diagnostic fields only, for example:

JWT validation failed (subject=f015_replay_user, audience=service-a, issuer=test-issuer, keyId=kid-abc, jwtId=jti-123)

The raw bearer string is never written to operational logs. jwtId (jti claim) provides log correlation when present.

Null-safety

  • validateAudiences(): guard tokenAudienceList != null before iterating (avoids NPE when aud claim is absent).
  • safeJwtLogContext(): guard jwtToken.getHeader() before reading keyId; use StringUtils.join() for audience list (JDK 8 compatible, tolerates null list entries).

Files changed (2)

File Change
ranger-authn/.../RangerJwtAuthHandler.java Safe logging, safeJwtLogContext(), audience null guard
ranger-authn/.../TestRangerJwtAuthHandler.java Unit tests for safe context and missing audience

Test plan

Unit tests (automated)

mvn -pl ranger-authn test -Dtest=TestRangerJwtAuthHandler
mvn verify -pl ranger-authn -Dtest=TestRangerJwtAuthHandler -Drat.skip=true

Replace jwtToken.serialize() in the validation-failure WARN path with
safeJwtLogContext() that logs only non-sensitive metadata and a SHA-256
hash for log correlation. Add null-safety for missing audience claims
and unit tests for the safe logging path.
Per review feedback, remove sha256Hex/tokenHash from safeJwtLogContext;
jwtId is sufficient for log correlation when present.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants