knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject knox git commit: KNOX-679 - Make ResponseCookieFilter Configurable
Date Tue, 08 Mar 2016 19:00:08 GMT
Repository: knox
Updated Branches:
  refs/heads/master c2635885d -> a6d4cbab6


KNOX-679 - Make ResponseCookieFilter Configurable

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/a6d4cbab
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/a6d4cbab
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/a6d4cbab

Branch: refs/heads/master
Commit: a6d4cbab6e36341ed0bc5eccabe49d1277271d74
Parents: c263588
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Tue Mar 8 13:59:56 2016 -0500
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Tue Mar 8 13:59:56 2016 -0500

----------------------------------------------------------------------
 .../deploy/impl/ShiroDeploymentContributor.java | 32 +++++++++++++++++---
 .../gateway/filter/ResponseCookieFilter.java    | 30 ++++++++++--------
 2 files changed, 46 insertions(+), 16 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/a6d4cbab/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
index 04a194d..b050197 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
@@ -21,12 +21,14 @@ import org.apache.hadoop.gateway.deploy.DeploymentContext;
 import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
 import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
 import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.filter.ResponseCookieFilter;
 import org.apache.hadoop.gateway.topology.Provider;
 import org.apache.hadoop.gateway.topology.Service;
 import org.jboss.shrinkwrap.api.asset.StringAsset;
 import org.jboss.shrinkwrap.descriptor.api.webapp30.WebAppDescriptor;
 import org.jboss.shrinkwrap.descriptor.api.webcommon30.SessionConfigType;
 
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 
@@ -37,6 +39,7 @@ public class ShiroDeploymentContributor extends ProviderDeploymentContributorBas
   private static final String POST_FILTER_CLASSNAME = "org.apache.hadoop.gateway.filter.ShiroSubjectIdentityAdapter";
   private static final String COOKIE_FILTER_CLASSNAME = "org.apache.hadoop.gateway.filter.ResponseCookieFilter";
   private static final String SESSION_TIMEOUT = "sessionTimeout";
+  private static final String REMEMBER_ME = "rememberme";
   private static final String SHRIO_CONFIG_FILE_NAME = "shiro.ini";
   private static final int DEFAULT_SESSION_TIMEOUT = 30; // 30min
 
@@ -88,7 +91,8 @@ public class ShiroDeploymentContributor extends ProviderDeploymentContributorBas
   }
 
   @Override
-  public void contributeFilter( DeploymentContext context, Provider provider, Service service,
ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
+  public void contributeFilter( DeploymentContext context, Provider provider,
+      Service service, ResourceDescriptor resource, List<FilterParamDescriptor> params
) {
     // Leveraging a third party filter is a primary usecase for Knox
     // in order to do so, we need to make sure that the end result of the third party integration
     // puts a standard javax.security.auth.Subject on the current thread through a doAs.
@@ -97,8 +101,28 @@ public class ShiroDeploymentContributor extends ProviderDeploymentContributorBas
 
     // You may also need to do some additional processing of the response in order to not
return cookies or other
     // filter specifics that are not needed for integration with Knox. Below we do that in
the pre-processing filter.
-    resource.addFilter().name( "Pre" + getName() ).role( getRole() ).impl( COOKIE_FILTER_CLASSNAME
).params( params );
-    resource.addFilter().name( getName() ).role( getRole() ).impl( SHIRO_FILTER_CLASSNAME
).params( params );
-    resource.addFilter().name( "Post" + getName() ).role( getRole() ).impl( POST_FILTER_CLASSNAME
).params( params );
+    if (params == null) {
+      params = new ArrayList<FilterParamDescriptor>();
+    }
+    Map<String, String> providerParams = provider.getParams();
+    String cookies = providerParams.get( ResponseCookieFilter.RESTRICTED_COOKIES );
+    if (cookies == null) {
+      params.add( resource.createFilterParam()
+          .name( ResponseCookieFilter.RESTRICTED_COOKIES )
+          .value( REMEMBER_ME ) );
+    }
+    else {
+      params.add( resource.createFilterParam()
+          .name(ResponseCookieFilter.RESTRICTED_COOKIES ).value( cookies ) );
+    }
+
+    resource.addFilter().name( "Pre" + getName() ).role(
+        getRole() ).impl( COOKIE_FILTER_CLASSNAME ).params( params );
+    params.clear();
+
+    resource.addFilter().name( getName() ).role(
+        getRole() ).impl( SHIRO_FILTER_CLASSNAME ).params( params );
+    resource.addFilter().name( "Post" + getName() ).role(
+        getRole() ).impl( POST_FILTER_CLASSNAME ).params( params );
   }
 }

http://git-wip-us.apache.org/repos/asf/knox/blob/a6d4cbab/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java
b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java
index 4d31e10..28af445 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java
@@ -19,6 +19,7 @@
 package org.apache.hadoop.gateway.filter;
 
 import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
@@ -29,8 +30,19 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 
-
 public class ResponseCookieFilter extends AbstractGatewayFilter {
+  public static final String RESTRICTED_COOKIES = "restrictedCookies";
+
+  protected static List<String> restrictedCookies = new ArrayList<String>();
+
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+    super.init(filterConfig);
+    String cookies = filterConfig.getInitParameter(RESTRICTED_COOKIES);
+    if (cookies != null) {
+      restrictedCookies = Arrays.asList(cookies.split(","));
+    }
+  }
 
   @Override
   protected void doFilter( HttpServletRequest request, HttpServletResponse response, FilterChain
chain ) throws IOException, ServletException {
@@ -40,32 +52,31 @@ public class ResponseCookieFilter extends AbstractGatewayFilter {
 
   // inner class wraps response to prevent adding of not allowed headers
   private class ResponseWrapper extends HttpServletResponseWrapper {
-
     public ResponseWrapper( HttpServletResponse response ) {
       super( response );
     }
 
     public void addCookie( Cookie cookie ) {
-      if( cookie != null && isAllowedHeaderValue( cookie.getValue() ) ) {
+      if( cookie != null && isAllowedHeader( cookie.getName() ) ) {
         super.addCookie( cookie );
       }
     }
 
     public void setHeader( String name, String value ) {
-      if( isAllowedHeaderValue( value ) ) {
+      if( isAllowedHeader( name ) ) {
         super.setHeader( name, value );
       }
     }
 
     public void addHeader( String name, String value ) {
-      if( isAllowedHeaderValue( value ) ) {
+      if( isAllowedHeader( name ) ) {
         super.addHeader( name, value );
       }
     }
 
-    private boolean isAllowedHeaderValue( String value ) {
+    private boolean isAllowedHeader( String value ) {
       if( value != null ) {
-        for( String v : restrictedCookieValues ) {
+        for( String v : restrictedCookies ) {
           if( value.contains( v ) ) {
             return false;
           }
@@ -74,9 +85,4 @@ public class ResponseCookieFilter extends AbstractGatewayFilter {
       return true;
     }
   }
-
-  private final static List<String> restrictedCookieValues = new ArrayList<String>(
-      Arrays.asList( "rememberMe" )
-  );
-
 }


Mime
View raw message