diff --git a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java index 9464f6aa0830..2f3b1182ccb4 100644 --- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java +++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java @@ -43,7 +43,6 @@ import javax.servlet.http.HttpServletResponse; import java.io.IOException; -import java.util.Collection; public class Pac4jFilter implements Filter { @@ -101,17 +100,9 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo UserProfile profile = (UserProfile) securityLogic.perform( context, sessionStore, - pac4jConfig, - (JEEContext ctx, Collection profiles, Object... parameters) -> { - if (profiles.isEmpty()) { - LOGGER.warn("No profiles found after OIDC auth."); - return null; - } else { - return profiles.iterator().next(); - } - }, + pac4jConfig, null, JEEHttpActionAdapter.INSTANCE, - null, "none", null, null); + null, "none", null); // Changed the Authorizer from null to "none". // In the older version, if it is null, it simply grant access and returns authorized. // But in the newer pac4j version, it uses CsrfAuthorizer as default, And because of this, It was returning 403 in API calls. diff --git a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jFilterTest.java b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jFilterTest.java index 1d5c76b7f0e0..bd90693d52db 100644 --- a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jFilterTest.java +++ b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jFilterTest.java @@ -26,11 +26,11 @@ import org.mockito.Mock; import org.mockito.Mockito; import org.mockito.junit.MockitoJUnitRunner; -import org.pac4j.jee.context.JEEContext; import org.pac4j.core.exception.http.ForbiddenAction; import org.pac4j.core.exception.http.FoundAction; import org.pac4j.core.exception.http.HttpAction; import org.pac4j.core.exception.http.WithLocationAction; +import org.pac4j.jee.context.JEEContext; import org.pac4j.jee.http.adapter.JEEHttpActionAdapter; import javax.servlet.http.HttpServletRequest;