Repository: incubator-atlas Updated Branches: refs/heads/master 630a562b2 -> adfdef023
ATLAS-1206 Atlas UI not working with IE or Chrome on Windows OS in Kerberos mode (nixonrodrigues via sumasai) Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/adfdef02 Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/adfdef02 Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/adfdef02 Branch: refs/heads/master Commit: adfdef023b3dbdf7c03b4039a814d47a50ef41e3 Parents: 630a562 Author: Suma Shivaprasad <[email protected]> Authored: Tue Oct 4 11:24:52 2016 -0700 Committer: Suma Shivaprasad <[email protected]> Committed: Tue Oct 4 11:27:11 2016 -0700 ---------------------------------------------------------------------- release-log.txt | 1 + .../web/filters/AtlasAuthenticationFilter.java | 86 +++++++++++++++----- 2 files changed, 65 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/adfdef02/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index 0d58eaa..b012228 100644 --- a/release-log.txt +++ b/release-log.txt @@ -9,6 +9,7 @@ ATLAS-1060 Add composite indexes for exact match performance improvements for al ATLAS-1127 Modify creation and modification timestamps to Date instead of Long(sumasai) ALL CHANGES: +ATLAS-1206 Atlas UI not working with IE or Chrome on Windows OS in Kerberos mode (nixonrodrigues via sumasai) ATLAS-1205 Improve atlas build time (shwethags) ATLAS-1203 'Invalid type definition' due to no new types to be created at startup (mneethiraj via shwethags) ATLAS-1171 Structured, high-level public APIs (mneethiraj via shwethags) http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/adfdef02/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java index 605fe89..30200b5 100644 --- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java +++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java @@ -69,6 +69,8 @@ import java.net.UnknownHostException; import java.security.Principal; import java.text.SimpleDateFormat; import java.util.*; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import javax.servlet.http.Cookie; /** @@ -84,6 +86,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { private SignerSecretProvider secretProvider; public final boolean isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled(); private boolean isInitializedByTomcat; + private Set<Pattern> browserUserAgents; public AtlasAuthenticationFilter() { try { @@ -148,7 +151,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { @Override public void initializeSecretProvider(FilterConfig filterConfig) throws ServletException { - LOG.debug("AtlasAuthenticationFilter :: initializeSecretProvider "+filterConfig); + LOG.debug("AtlasAuthenticationFilter :: initializeSecretProvider " + filterConfig); secretProvider = (SignerSecretProvider) filterConfig.getServletContext(). getAttribute(AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE); if (secretProvider == null) { @@ -230,6 +233,14 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { LOG.debug(" AuthenticationFilterConfig: {}", config); + String agents = configuration.getString(AtlasCSRFPreventionFilter.BROWSER_USER_AGENT_PARAM, AtlasCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT); + + if (agents == null) { + agents = AtlasCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT; + } + + parseBrowserUserAgents(agents); + return config; } @@ -296,11 +307,16 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { try { - String authHeader = httpRequest.getHeader("Authorization"); - if (authHeader != null && authHeader.startsWith("Basic")) { - filterChain.doFilter(request, response); - } else if (isKerberos) { - doKerberosAuth(request, response, filterChainWrapper); + Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication(); + if (existingAuth == null) { + String authHeader = httpRequest.getHeader("Authorization"); + if (authHeader != null && authHeader.startsWith("Basic")) { + filterChain.doFilter(request, response); + } else if (isKerberos) { + doKerberosAuth(request, response, filterChainWrapper, filterChain); + } else { + filterChain.doFilter(request, response); + } } else { filterChain.doFilter(request, response); } @@ -327,7 +343,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { * @throws IOException thrown if an IO error occurred. * @throws ServletException thrown if a processing error occurred. */ - public void doKerberosAuth(ServletRequest request, ServletResponse response, FilterChain filterChain) + public void doKerberosAuth(ServletRequest request, ServletResponse response, FilterChain filterChainWrapper ,FilterChain filterChain ) throws IOException, ServletException { boolean unauthorizedResponse = true; int errCode = HttpServletResponse.SC_UNAUTHORIZED; @@ -389,7 +405,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { getCookiePath(), token.getExpires(), isHttps); } - filterChain.doFilter(httpRequest, httpResponse); + filterChainWrapper.doFilter(httpRequest, httpResponse); } } else { unauthorizedResponse = false; @@ -412,22 +428,25 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { errCode = HttpServletResponse.SC_FORBIDDEN; } if (authenticationEx == null) { // added this code for atlas error handling and fallback - boolean chk = true; - Collection<String> headerNames = httpResponse.getHeaderNames(); - for (String headerName : headerNames) { - String value = httpResponse.getHeader(headerName); - if (headerName.equalsIgnoreCase("Set-Cookie") && value.startsWith("JSESSIONID")) { - chk = false; - break; - } - } - String authHeader = httpRequest.getHeader("Authorization"); - if (authHeader == null && chk) { - filterChain.doFilter(request, response); - } else if (authHeader != null && authHeader.startsWith("Basic")) { + if (isBrowser(httpRequest.getHeader("User-Agent"))) { filterChain.doFilter(request, response); + } else { + boolean chk = true; + Collection<String> headerNames = httpResponse.getHeaderNames(); + for (String headerName : headerNames) { + String value = httpResponse.getHeader(headerName); + if (headerName.equalsIgnoreCase("Set-Cookie") && value.startsWith("JSESSIONID")) { + chk = false; + break; + } + } + String authHeader = httpRequest.getHeader("Authorization"); + if (authHeader == null && chk) { + filterChain.doFilter(request, response); + } else if (authHeader != null && authHeader.startsWith("Basic")) { + filterChain.doFilter(request, response); + } } - } else { httpResponse.sendError(errCode, authenticationEx.getMessage()); } @@ -550,4 +569,27 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { return token; } + void parseBrowserUserAgents(String userAgents) { + String[] agentsArray = userAgents.split(","); + browserUserAgents = new HashSet<Pattern>(); + for (String patternString : agentsArray) { + browserUserAgents.add(Pattern.compile(patternString)); + } + } + + boolean isBrowser(String userAgent) { + if (userAgent == null) { + return false; + } + if (browserUserAgents != null) { + for (Pattern pattern : browserUserAgents) { + Matcher matcher = pattern.matcher(userAgent); + if (matcher.matches()) { + return true; + } + } + } + return false; + } + }
