knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kmin...@apache.org
Subject git commit: Prevent rememberMe cookie from being added to response.
Date Wed, 03 Apr 2013 19:31:46 GMT
Updated Branches:
  refs/heads/master 9b2e384f2 -> f0ba7ca15


Prevent rememberMe cookie from being added to response.


Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/f0ba7ca1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/f0ba7ca1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/f0ba7ca1

Branch: refs/heads/master
Commit: f0ba7ca155b65de67c81ac0e9979c17a52a56caf
Parents: 9b2e384
Author: Kevin Minder <kevin.minder@hortonworks.com>
Authored: Wed Apr 3 15:31:33 2013 -0400
Committer: Kevin Minder <kevin.minder@hortonworks.com>
Committed: Wed Apr 3 15:31:33 2013 -0400

----------------------------------------------------------------------
 .../deploy/impl/ShiroDeploymentContributor.java    |    6 +-
 .../gateway/filter/ResponseCookieFilter.java       |   82 +++++++++++++++
 .../gateway/deploy/DeploymentFactoryTest.java      |   43 +++++---
 .../apache/hadoop/gateway/launcher/ConfigTest.java |    8 +-
 4 files changed, 116 insertions(+), 23 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f0ba7ca1/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
index b1cc256..19dcce3 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
@@ -32,6 +32,7 @@ public class ShiroDeploymentContributor extends ProviderDeploymentContributorBas
   private static final String LISTENER_CLASSNAME = "org.apache.shiro.web.env.EnvironmentLoaderListener";
   private static final String FILTER_CLASSNAME = "org.apache.shiro.web.servlet.ShiroFilter";
   private static final String FILTER_CLASSNAME2 = "org.apache.hadoop.gateway.filter.PostAuthenticationFilter";
+  private static final String FILTER_CLASSNAME3 = "org.apache.hadoop.gateway.filter.ResponseCookieFilter";
 
   @Override
   public String getRole() {
@@ -54,14 +55,15 @@ public class ShiroDeploymentContributor extends ProviderDeploymentContributorBas
 //    context.getWebAppDescriptor().createFilterMapping().filterName("PostShiroFilter").servletName("cluster");
     // Write the provider specific config out to the war for cluster specific config
 //    String config = provider.getParams().get( "config" );
-    String config = new ShiroConfig(provider).toString();
-    if ( config != null ) {
+    String config = new ShiroConfig( provider ).toString();
+    if( config != null ) {
       context.getWebArchive().addAsWebInfResource( new StringAsset( config ), "shiro.ini"
);
     }
   }
 
   @Override
   public void contributeFilter( DeploymentContext context, Provider provider, Service service,
ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
+    resource.addFilter().name( "Pre" + getName() ).role( getRole() ).impl( FILTER_CLASSNAME3
).params( params );
     resource.addFilter().name( getName() ).role( getRole() ).impl( FILTER_CLASSNAME ).params(
params );
     resource.addFilter().name( "Post" + getName() ).role( getRole() ).impl( FILTER_CLASSNAME2
).params( params );
   }

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f0ba7ca1/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java
b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java
new file mode 100644
index 0000000..4d31e10
--- /dev/null
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java
@@ -0,0 +1,82 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.gateway.filter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+
+public class ResponseCookieFilter extends AbstractGatewayFilter {
+
+  @Override
+  protected void doFilter( HttpServletRequest request, HttpServletResponse response, FilterChain
chain ) throws IOException, ServletException {
+    ResponseWrapper responseWrapper = new ResponseWrapper( response );
+    chain.doFilter( request, responseWrapper );
+  }
+
+  // inner class wraps response to prevent adding of not allowed headers
+  private class ResponseWrapper extends HttpServletResponseWrapper {
+
+    public ResponseWrapper( HttpServletResponse response ) {
+      super( response );
+    }
+
+    public void addCookie( Cookie cookie ) {
+      if( cookie != null && isAllowedHeaderValue( cookie.getValue() ) ) {
+        super.addCookie( cookie );
+      }
+    }
+
+    public void setHeader( String name, String value ) {
+      if( isAllowedHeaderValue( value ) ) {
+        super.setHeader( name, value );
+      }
+    }
+
+    public void addHeader( String name, String value ) {
+      if( isAllowedHeaderValue( value ) ) {
+        super.addHeader( name, value );
+      }
+    }
+
+    private boolean isAllowedHeaderValue( String value ) {
+      if( value != null ) {
+        for( String v : restrictedCookieValues ) {
+          if( value.contains( v ) ) {
+            return false;
+          }
+        }
+      }
+      return true;
+    }
+  }
+
+  private final static List<String> restrictedCookieValues = new ArrayList<String>(
+      Arrays.asList( "rememberMe" )
+  );
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f0ba7ca1/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java
b/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java
index 766579c..ad0821a 100644
--- a/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java
+++ b/gateway-server/src/test/java/org/apache/hadoop/gateway/deploy/DeploymentFactoryTest.java
@@ -99,40 +99,47 @@ public class DeploymentFactoryTest {
 
     assertThat( gateway, hasXPath( "/gateway/resource[1]/pattern", equalTo( "/namenode/api/v1/?**"
) ) );
     //assertThat( gateway, hasXPath( "/gateway/resource[1]/target", equalTo( "http://localhost:50070/webhdfs/v1/?{**}"
) ) );
+
     assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[1]/role", equalTo( "authentication"
) ) );
-    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[1]/class", equalTo( "org.apache.shiro.web.servlet.ShiroFilter"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[1]/class", equalTo( "org.apache.hadoop.gateway.filter.ResponseCookieFilter"
) ) );
 
     assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[2]/role", equalTo( "authentication"
) ) );
-    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[2]/class", equalTo( "org.apache.hadoop.gateway.filter.PostAuthenticationFilter"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[2]/class", equalTo( "org.apache.shiro.web.servlet.ShiroFilter"
) ) );
+
+    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[3]/role", equalTo( "authentication"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[3]/class", equalTo( "org.apache.hadoop.gateway.filter.PostAuthenticationFilter"
) ) );
 
-    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[3]/role", equalTo( "rewrite"
) ) );
-    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[3]/class", equalTo( "org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteServletFilter"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[4]/role", equalTo( "rewrite"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[4]/class", equalTo( "org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteServletFilter"
) ) );
 
-    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[4]/role", equalTo( "identity-assertion"
) ) );
-    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[4]/class", equalTo( "org.apache.hadoop.gateway.filter.IdentityAssertionFilter"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[5]/role", equalTo( "identity-assertion"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[5]/class", equalTo( "org.apache.hadoop.gateway.filter.IdentityAssertionFilter"
) ) );
 
-    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[5]/role", equalTo( "dispatch"
) ) );
-    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[5]/name", equalTo( "http-client"
) ) );
-    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[5]/class", equalTo( "org.apache.hadoop.gateway.dispatch.HttpClientDispatch"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[6]/role", equalTo( "dispatch"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[6]/name", equalTo( "http-client"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[1]/filter[6]/class", equalTo( "org.apache.hadoop.gateway.dispatch.HttpClientDispatch"
) ) );
 
     assertThat( gateway, hasXPath( "/gateway/resource[2]/pattern", equalTo( "/namenode/api/v1/**?**"
) ) );
     //assertThat( gateway, hasXPath( "/gateway/resource[2]/target", equalTo( "http://localhost:50070/webhdfs/v1/{path=**}?{**}"
) ) );
 
     assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[1]/role", equalTo( "authentication"
) ) );
-    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[1]/class", equalTo( "org.apache.shiro.web.servlet.ShiroFilter"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[1]/class", equalTo( "org.apache.hadoop.gateway.filter.ResponseCookieFilter"
) ) );
 
     assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[2]/role", equalTo( "authentication"
) ) );
-    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[2]/class", equalTo( "org.apache.hadoop.gateway.filter.PostAuthenticationFilter"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[2]/class", equalTo( "org.apache.shiro.web.servlet.ShiroFilter"
) ) );
+
+    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[3]/role", equalTo( "authentication"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[3]/class", equalTo( "org.apache.hadoop.gateway.filter.PostAuthenticationFilter"
) ) );
 
-    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[3]/role", equalTo( "rewrite"
) ) );
-    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[3]/class", equalTo( "org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteServletFilter"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[4]/role", equalTo( "rewrite"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[4]/class", equalTo( "org.apache.hadoop.gateway.filter.rewrite.api.UrlRewriteServletFilter"
) ) );
 
-    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[4]/role", equalTo( "identity-assertion"
) ) );
-    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[4]/class", equalTo( "org.apache.hadoop.gateway.filter.IdentityAssertionFilter"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[5]/role", equalTo( "identity-assertion"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[5]/class", equalTo( "org.apache.hadoop.gateway.filter.IdentityAssertionFilter"
) ) );
 
-    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[5]/role", equalTo( "dispatch"
) ) );
-    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[5]/name", equalTo( "http-client"
) ) );
-    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[5]/class", equalTo( "org.apache.hadoop.gateway.dispatch.HttpClientDispatch"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[6]/role", equalTo( "dispatch"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[6]/name", equalTo( "http-client"
) ) );
+    assertThat( gateway, hasXPath( "/gateway/resource[2]/filter[6]/class", equalTo( "org.apache.hadoop.gateway.dispatch.HttpClientDispatch"
) ) );
   }
 
   private Document parse( InputStream stream ) throws IOException, SAXException, ParserConfigurationException
{

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/f0ba7ca1/gateway-util-launcher/src/test/java/org/apache/hadoop/gateway/launcher/ConfigTest.java
----------------------------------------------------------------------
diff --git a/gateway-util-launcher/src/test/java/org/apache/hadoop/gateway/launcher/ConfigTest.java
b/gateway-util-launcher/src/test/java/org/apache/hadoop/gateway/launcher/ConfigTest.java
index 7068308..3af167e 100644
--- a/gateway-util-launcher/src/test/java/org/apache/hadoop/gateway/launcher/ConfigTest.java
+++ b/gateway-util-launcher/src/test/java/org/apache/hadoop/gateway/launcher/ConfigTest.java
@@ -28,6 +28,8 @@ import static org.hamcrest.MatcherAssert.assertThat;
 
 public class ConfigTest {
 
+  private final static String NEWLINE = System.getProperty( "line.separator" );
+
   @Test
   public void testLoad() throws Exception {
     Config c;
@@ -47,7 +49,7 @@ public class ConfigTest {
     assertThat( c.get( null, "name" ), is( "value" ) );
     assertThat( c.get( null, "wrong-name" ), nullValue() );
 
-    s = "name1=value1\n\n[section1]\nname1=value2";
+    s = "name1=value1" + NEWLINE + "[section1]" + NEWLINE + "name1=value2";
     c = new Config();
     c.load( new StringReader( s ) );
     assertThat( c.get( "", "name1" ), is( "value1" ) );
@@ -73,14 +75,14 @@ public class ConfigTest {
     c.set( null, null, null );
     w = new StringWriter();
     c.save( w );
-    assertThat( w.toString(), is( "=\n" ) );
+    assertThat( w.toString(), is( "=" + NEWLINE ) );
 
     c = new Config();
     c.set( null, "name1", "value1" );
     c.set( "section1", "name1", "value2" );
     w = new StringWriter();
     c.save( w );
-    assertThat( w.toString(), is( "name1=value1\n\n[section1]\nname1=value2" ) );
+    assertThat( w.toString(), is( "name1=value1" + NEWLINE + NEWLINE + "[section1]" + NEWLINE
+ "name1=value2" ) );
   }
 
   @Test


Mime
View raw message