knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject knox git commit: KNOX-573, KNOX-574 make SecureOnly and MaxAge configurable for SSO
Date Thu, 23 Jul 2015 14:18:47 GMT
Repository: knox
Updated Branches:
  refs/heads/master fae40583d -> 02fea3a67


KNOX-573, KNOX-574 make SecureOnly and MaxAge configurable for SSO

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/02fea3a6
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/02fea3a6
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/02fea3a6

Branch: refs/heads/master
Commit: 02fea3a67e16bd12fecd8dc2818e34064f332c5d
Parents: fae4058
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Thu Jul 23 10:18:37 2015 -0400
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Thu Jul 23 10:18:37 2015 -0400

----------------------------------------------------------------------
 .../JerseyServiceDeploymentContributorBase.java |  4 ++
 .../service/knoxsso/KnoxSSOMessages.java        |  6 +++
 .../gateway/service/knoxsso/WebSSOResource.java | 51 ++++++++++++++------
 .../KnoxSSOServiceDeploymentContributor.java    |  4 --
 4 files changed, 46 insertions(+), 19 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/02fea3a6/gateway-provider-jersey/src/main/java/org/apache/hadoop/gateway/jersey/JerseyServiceDeploymentContributorBase.java
----------------------------------------------------------------------
diff --git a/gateway-provider-jersey/src/main/java/org/apache/hadoop/gateway/jersey/JerseyServiceDeploymentContributorBase.java
b/gateway-provider-jersey/src/main/java/org/apache/hadoop/gateway/jersey/JerseyServiceDeploymentContributorBase.java
index 7e721e9..7e5a2a6 100644
--- a/gateway-provider-jersey/src/main/java/org/apache/hadoop/gateway/jersey/JerseyServiceDeploymentContributorBase.java
+++ b/gateway-provider-jersey/src/main/java/org/apache/hadoop/gateway/jersey/JerseyServiceDeploymentContributorBase.java
@@ -26,6 +26,7 @@ import org.apache.hadoop.gateway.topology.Service;
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Map;
 
 public abstract class JerseyServiceDeploymentContributorBase extends ServiceDeploymentContributorBase
{
 
@@ -56,6 +57,9 @@ public abstract class JerseyServiceDeploymentContributorBase extends ServiceDepl
 //      param.name( TRACE_LOGGING_PARAM );
 //      param.value( "ALL" );
 //      params.add( trace );
+      for ( Map.Entry<String,String> serviceParam : service.getParams().entrySet()
) {
+        context.getWebAppDescriptor().createContextParam().paramName(serviceParam.getKey()).paramValue(serviceParam.getValue());
+      }
       context.contributeFilter( service, resource, "pivot", "jersey", params );
     }
   }

http://git-wip-us.apache.org/repos/asf/knox/blob/02fea3a6/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java
----------------------------------------------------------------------
diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java
b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java
index e6c767b..2c0b933 100644
--- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java
+++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java
@@ -47,4 +47,10 @@ public interface KnoxSSOMessages {
 
   @Message( level = MessageLevel.ERROR, text = "Unable to issue token.")
   void unableToIssueToken(@StackTrace( level = MessageLevel.DEBUG) Exception e);
+
+  @Message( level = MessageLevel.WARN, text = "The SSO cookie SecureOnly flag is set to FALSE
and is therefore insecure.")
+  void cookieSecureOnly(boolean secureOnly);
+
+  @Message( level = MessageLevel.WARN, text = "The SSO cookie max age configuration is invalid:
{0} - using default.")
+  void invalidMaxAgeEncountered(String age);
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/02fea3a6/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
----------------------------------------------------------------------
diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
index 9b3d0ad..056fdf2 100644
--- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
+++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
@@ -22,6 +22,8 @@ import java.net.URI;
 import java.net.URISyntaxException;
 import java.security.Principal;
 
+import javax.annotation.PostConstruct;
+import javax.servlet.ServletContext;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -44,20 +46,15 @@ import static javax.ws.rs.core.MediaType.APPLICATION_XML;
 
 @Path( WebSSOResource.RESOURCE_PATH )
 public class WebSSOResource {
-  /**
-   * 
-   */
+  private static final String SSO_COOKIE_SECURE_ONLY_INIT_PARAM = "knoxsso.cookie.secure.only";
+  private static final String SSO_COOKIE_MAX_AGE_INIT_PARAM = "knoxsso.cookie.max.age";
   private static final String ORIGINAL_URL_REQUEST_PARAM = "originalUrl";
-  /**
-   * 
-   */
   private static final String ORIGINAL_URL_COOKIE_NAME = "original-url";
-  /**
-   * 
-   */
   private static final String JWT_COOKIE_NAME = "hadoop-jwt";
   static final String RESOURCE_PATH = "/knoxsso/api/v1/websso";
   private static KnoxSSOMessages log = MessagesFactory.get( KnoxSSOMessages.class );
+  private boolean secureOnly = true;
+  private int maxAge = 120;
 
   @Context 
   private HttpServletRequest request;
@@ -65,6 +62,28 @@ public class WebSSOResource {
   @Context 
   private HttpServletResponse response;
 
+  @Context
+  ServletContext context;
+
+  @PostConstruct
+  public void init() {
+    String secure = context.getInitParameter(SSO_COOKIE_SECURE_ONLY_INIT_PARAM);
+    if (secure != null) {
+      secureOnly = ("false".equals(secure) ? false : true);
+      log.cookieSecureOnly(secureOnly);
+    }
+
+    String age = context.getInitParameter(SSO_COOKIE_MAX_AGE_INIT_PARAM);
+    if (age != null) {
+      try {
+        maxAge = Integer.parseInt(age);
+      }
+      catch (NumberFormatException nfe) {
+        log.invalidMaxAgeEncountered(age);
+      }
+    }
+  }
+
   @GET
   @Produces({APPLICATION_JSON, APPLICATION_XML})
   public Response doGet() {
@@ -83,7 +102,7 @@ public class WebSSOResource {
     boolean removeOriginalUrlCookie = true;
     String original = getCookieValue((HttpServletRequest) request, ORIGINAL_URL_COOKIE_NAME);
     if (original == null) {
-      // in the case where there is no SAML redirects done before here
+      // in the case where there are no SAML redirects done before here
       // we need to get it from the request parameters
       removeOriginalUrlCookie = false;
       original = request.getParameter(ORIGINAL_URL_REQUEST_PARAM);
@@ -92,7 +111,7 @@ public class WebSSOResource {
         throw new WebApplicationException("Original URL not found in the request.", Response.Status.BAD_REQUEST);
       }
     }
-    
+
     JWTokenAuthority ts = services.getService(GatewayServices.TOKEN_SERVICE);
     Principal p = ((HttpServletRequest)request).getUserPrincipal();
 
@@ -120,7 +139,7 @@ public class WebSSOResource {
     return null;
   }
 
-  public void addJWTHadoopCookie(String original, JWT token) {
+  private void addJWTHadoopCookie(String original, JWT token) {
     log.addingJWTCookie(token.toString());
     Cookie c = new Cookie(JWT_COOKIE_NAME,  token.toString());
     c.setPath("/");
@@ -128,8 +147,10 @@ public class WebSSOResource {
       String domain = getDomainName(original);
       c.setDomain(domain);
       c.setHttpOnly(true);
-      c.setSecure(true);
-      c.setMaxAge(120);
+      if (secureOnly) {
+        c.setSecure(true);
+      }
+      c.setMaxAge(maxAge);
       response.addCookie(c);
       log.addedJWTCookie();
     }
@@ -146,7 +167,7 @@ public class WebSSOResource {
     response.addCookie(c);
   }
 
-  public String getDomainName(String url) throws URISyntaxException {
+  private String getDomainName(String url) throws URISyntaxException {
     URI uri = new URI(url);
     String domain = uri.getHost();
     int idx = domain.indexOf('.');

http://git-wip-us.apache.org/repos/asf/knox/blob/02fea3a6/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/deploy/KnoxSSOServiceDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/deploy/KnoxSSOServiceDeploymentContributor.java
b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/deploy/KnoxSSOServiceDeploymentContributor.java
index 7dbd228..70abeaf 100644
--- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/deploy/KnoxSSOServiceDeploymentContributor.java
+++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/deploy/KnoxSSOServiceDeploymentContributor.java
@@ -19,9 +19,6 @@ package org.apache.hadoop.gateway.service.knoxsso.deploy;
 
 import org.apache.hadoop.gateway.jersey.JerseyServiceDeploymentContributorBase;
 
-/**
- *
- */
 public class KnoxSSOServiceDeploymentContributor extends JerseyServiceDeploymentContributorBase
{
 
   /* (non-Javadoc)
@@ -29,7 +26,6 @@ public class KnoxSSOServiceDeploymentContributor extends JerseyServiceDeployment
    */
   @Override
   public String getRole() {
-    // TODO Auto-generated method stub
     return "KNOXSSO";
   }
 


Mime
View raw message