(pulsar) branch master updated: [fix][ws] Fix WebSocket authentication with authenticateOriginalAuthData enabled (#24615)

technoboy Sun, 10 Aug 2025 20:22:03 -0700

This is an automated email from the ASF dual-hosted git repository.

technoboy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git



The following commit(s) were added to refs/heads/master by this push:
     new fee86932b05 [fix][ws] Fix WebSocket authentication with 
authenticateOriginalAuthData enabled (#24615)
fee86932b05 is described below

commit fee86932b05cafe77c7429c40c3cd875618f47cc
Author: Penghui Li <[email protected]>
AuthorDate: Sun Aug 10 20:21:49 2025 -0700

    [fix][ws] Fix WebSocket authentication with authenticateOriginalAuthData 
enabled (#24615)
---
 .../org/apache/pulsar/broker/service/ServerCnx.java    |  4 +++-
 .../proxy/ProxyRoleAuthWebServiceURLTest.java          |  2 ++
 ... => ProxyRoleAuthenticateOriginalAuthDataTest.java} | 16 ++++++----------
 ...AuthenticateOriginalAuthDataWebServiceURLTest.java} | 18 +++++++-----------
 4 files changed, 18 insertions(+), 22 deletions(-)

diff --git 
a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java 
b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
index e2995a0a2cf..d1bc4953d11 100644
--- 
a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
+++ 
b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
@@ -28,6 +28,7 @@ import static 
org.apache.pulsar.broker.lookup.TopicLookupBase.lookupTopicAsync;
 import static 
org.apache.pulsar.broker.service.persistent.PersistentTopic.getMigratedClusterUrl;
 import static 
org.apache.pulsar.broker.service.schema.BookkeeperSchemaStorage.ignoreUnrecoverableBKException;
 import static org.apache.pulsar.common.api.proto.ProtocolVersion.v5;
+import static 
org.apache.pulsar.common.naming.Constants.WEBSOCKET_DUMMY_ORIGINAL_PRINCIPLE;
 import static 
org.apache.pulsar.common.protocol.Commands.DEFAULT_CONSUMER_EPOCH;
 import static 
org.apache.pulsar.common.protocol.Commands.newLookupErrorResponse;
 import com.google.common.annotations.VisibleForTesting;
@@ -1125,7 +1126,8 @@ public class ServerCnx extends PulsarHandler implements 
TransportCnx {
                 log.debug("[{}] Authenticate role : {}", remoteAddress, role);
             }
 
-            if (connect.hasOriginalPrincipal() && 
service.getPulsar().getConfig().isAuthenticateOriginalAuthData()) {
+            if (connect.hasOriginalPrincipal() && 
service.getPulsar().getConfig().isAuthenticateOriginalAuthData()
+                    && 
!WEBSOCKET_DUMMY_ORIGINAL_PRINCIPLE.equals(connect.getOriginalPrincipal())) {
                 // Flow:
                 // 1. Initialize original authentication.
                 // 2. Authenticate the proxy's authentication data.
diff --git 
a/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthWebServiceURLTest.java
 
b/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthWebServiceURLTest.java
index f726178aabc..08087f6f3e0 100644
--- 
a/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthWebServiceURLTest.java
+++ 
b/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthWebServiceURLTest.java
@@ -19,10 +19,12 @@
 package org.apache.pulsar.websocket.proxy;
 
 import org.apache.pulsar.websocket.service.WebSocketProxyConfiguration;
+import org.testng.annotations.Test;
 
 /**
  * Same test with ProxyRoleAuthTest but using REST API as the internal client.
  */
+@Test(groups = "websocket")
 public class ProxyRoleAuthWebServiceURLTest extends ProxyRoleAuthTest {
 
     @Override
diff --git 
a/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthWebServiceURLTest.java
 
b/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthenticateOriginalAuthDataTest.java
similarity index 60%
copy from 
pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthWebServiceURLTest.java
copy to 
pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthenticateOriginalAuthDataTest.java
index f726178aabc..0f292669117 100644
--- 
a/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthWebServiceURLTest.java
+++ 
b/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthenticateOriginalAuthDataTest.java
@@ -18,21 +18,17 @@
  */
 package org.apache.pulsar.websocket.proxy;
 
-import org.apache.pulsar.websocket.service.WebSocketProxyConfiguration;
+import org.testng.annotations.Test;
 
 /**
  * Same test with ProxyRoleAuthTest but using REST API as the internal client.
  */
-public class ProxyRoleAuthWebServiceURLTest extends ProxyRoleAuthTest {
+@Test(groups = "websocket")
+public class ProxyRoleAuthenticateOriginalAuthDataTest extends 
ProxyRoleAuthTest {
 
     @Override
-    protected WebSocketProxyConfiguration getProxyConfig() {
-        // Create WebSocket proxy configuration with authentication and 
authorization enabled
-        WebSocketProxyConfiguration proxyConfig = super.getProxyConfig();
-        proxyConfig.setServiceUrl(pulsar.getWebServiceAddress());
-        proxyConfig.setServiceUrlTls(pulsar.getWebServiceAddressTls());
-        proxyConfig.setBrokerServiceUrl(null);
-        proxyConfig.setBrokerServiceUrlTls(null);
-        return  proxyConfig;
+    protected void doInitConf() throws Exception {
+        super.doInitConf();
+        conf.setAuthenticateOriginalAuthData(true);
     }
 }
diff --git 
a/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthWebServiceURLTest.java
 
b/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthenticateOriginalAuthDataWebServiceURLTest.java
similarity index 55%
copy from 
pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthWebServiceURLTest.java
copy to 
pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthenticateOriginalAuthDataWebServiceURLTest.java
index f726178aabc..4078f67fc2b 100644
--- 
a/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthWebServiceURLTest.java
+++ 
b/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyRoleAuthenticateOriginalAuthDataWebServiceURLTest.java
@@ -18,21 +18,17 @@
  */
 package org.apache.pulsar.websocket.proxy;
 
-import org.apache.pulsar.websocket.service.WebSocketProxyConfiguration;
+import org.testng.annotations.Test;
 
 /**
- * Same test with ProxyRoleAuthTest but using REST API as the internal client.
+ * Same test with ProxyRoleAuthWebServiceURLTest but with 
authenticateOriginalAuthData enabled.
  */
-public class ProxyRoleAuthWebServiceURLTest extends ProxyRoleAuthTest {
+@Test(groups = "websocket")
+public class ProxyRoleAuthenticateOriginalAuthDataWebServiceURLTest extends 
ProxyRoleAuthWebServiceURLTest {
 
     @Override
-    protected WebSocketProxyConfiguration getProxyConfig() {
-        // Create WebSocket proxy configuration with authentication and 
authorization enabled
-        WebSocketProxyConfiguration proxyConfig = super.getProxyConfig();
-        proxyConfig.setServiceUrl(pulsar.getWebServiceAddress());
-        proxyConfig.setServiceUrlTls(pulsar.getWebServiceAddressTls());
-        proxyConfig.setBrokerServiceUrl(null);
-        proxyConfig.setBrokerServiceUrlTls(null);
-        return  proxyConfig;
+    protected void doInitConf() throws Exception {
+        super.doInitConf();
+        conf.setAuthenticateOriginalAuthData(true);
     }
 }

(pulsar) branch master updated: [fix][ws] Fix WebSocket authentication with authenticateOriginalAuthData enabled (#24615)

Reply via email to