SENTRY-900: User could access sentry metric info by curl without authorization (Dapeng Sun, reviewed by Colin Ma)
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
index 311fbb5..29759e8 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
@@ -51,13 +51,14 @@
@Override
protected void doFilter(FilterChain filterChain, HttpServletRequest request,
HttpServletResponse response) throws IOException, ServletException {
- super.doFilter(filterChain, request, response);
String userName = request.getRemoteUser();
LOG.debug("Authenticating user: " + userName + " from request.");
if (!allowUsers.contains(userName)) {
response.sendError(HttpServletResponse.SC_FORBIDDEN,
userName + " is unauthorized. status code: " + HttpServletResponse.SC_FORBIDDEN);
+ throw new ServletException(userName + " is unauthorized. status code: " + HttpServletResponse.SC_FORBIDDEN);
}
+ super.doFilter(filterChain, request, response);
}
/**
