Repository: knox Updated Branches: refs/heads/master fae40583d -> 02fea3a67
KNOX-573, KNOX-574 make SecureOnly and MaxAge configurable for SSO Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/02fea3a6 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/02fea3a6 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/02fea3a6 Branch: refs/heads/master Commit: 02fea3a67e16bd12fecd8dc2818e34064f332c5d Parents: fae4058 Author: Larry McCay <lmc...@hortonworks.com> Authored: Thu Jul 23 10:18:37 2015 -0400 Committer: Larry McCay <lmc...@hortonworks.com> Committed: Thu Jul 23 10:18:37 2015 -0400 ---------------------------------------------------------------------- .../JerseyServiceDeploymentContributorBase.java | 4 ++ .../service/knoxsso/KnoxSSOMessages.java | 6 +++ .../gateway/service/knoxsso/WebSSOResource.java | 51 ++++++++++++++------ .../KnoxSSOServiceDeploymentContributor.java | 4 -- 4 files changed, 46 insertions(+), 19 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/02fea3a6/gateway-provider-jersey/src/main/java/org/apache/hadoop/gateway/jersey/JerseyServiceDeploymentContributorBase.java ---------------------------------------------------------------------- diff --git a/gateway-provider-jersey/src/main/java/org/apache/hadoop/gateway/jersey/JerseyServiceDeploymentContributorBase.java b/gateway-provider-jersey/src/main/java/org/apache/hadoop/gateway/jersey/JerseyServiceDeploymentContributorBase.java index 7e721e9..7e5a2a6 100644 --- a/gateway-provider-jersey/src/main/java/org/apache/hadoop/gateway/jersey/JerseyServiceDeploymentContributorBase.java +++ b/gateway-provider-jersey/src/main/java/org/apache/hadoop/gateway/jersey/JerseyServiceDeploymentContributorBase.java @@ -26,6 +26,7 @@ import org.apache.hadoop.gateway.topology.Service; import java.util.ArrayList; import java.util.List; +import java.util.Map; public abstract class JerseyServiceDeploymentContributorBase extends ServiceDeploymentContributorBase { @@ -56,6 +57,9 @@ public abstract class JerseyServiceDeploymentContributorBase extends ServiceDepl // param.name( TRACE_LOGGING_PARAM ); // param.value( "ALL" ); // params.add( trace ); + for ( Map.Entry<String,String> serviceParam : service.getParams().entrySet() ) { + context.getWebAppDescriptor().createContextParam().paramName(serviceParam.getKey()).paramValue(serviceParam.getValue()); + } context.contributeFilter( service, resource, "pivot", "jersey", params ); } } http://git-wip-us.apache.org/repos/asf/knox/blob/02fea3a6/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java ---------------------------------------------------------------------- diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java index e6c767b..2c0b933 100644 --- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java +++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/KnoxSSOMessages.java @@ -47,4 +47,10 @@ public interface KnoxSSOMessages { @Message( level = MessageLevel.ERROR, text = "Unable to issue token.") void unableToIssueToken(@StackTrace( level = MessageLevel.DEBUG) Exception e); + + @Message( level = MessageLevel.WARN, text = "The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure.") + void cookieSecureOnly(boolean secureOnly); + + @Message( level = MessageLevel.WARN, text = "The SSO cookie max age configuration is invalid: {0} - using default.") + void invalidMaxAgeEncountered(String age); } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/knox/blob/02fea3a6/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java ---------------------------------------------------------------------- diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java index 9b3d0ad..056fdf2 100644 --- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java +++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java @@ -22,6 +22,8 @@ import java.net.URI; import java.net.URISyntaxException; import java.security.Principal; +import javax.annotation.PostConstruct; +import javax.servlet.ServletContext; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -44,20 +46,15 @@ import static javax.ws.rs.core.MediaType.APPLICATION_XML; @Path( WebSSOResource.RESOURCE_PATH ) public class WebSSOResource { - /** - * - */ + private static final String SSO_COOKIE_SECURE_ONLY_INIT_PARAM = "knoxsso.cookie.secure.only"; + private static final String SSO_COOKIE_MAX_AGE_INIT_PARAM = "knoxsso.cookie.max.age"; private static final String ORIGINAL_URL_REQUEST_PARAM = "originalUrl"; - /** - * - */ private static final String ORIGINAL_URL_COOKIE_NAME = "original-url"; - /** - * - */ private static final String JWT_COOKIE_NAME = "hadoop-jwt"; static final String RESOURCE_PATH = "/knoxsso/api/v1/websso"; private static KnoxSSOMessages log = MessagesFactory.get( KnoxSSOMessages.class ); + private boolean secureOnly = true; + private int maxAge = 120; @Context private HttpServletRequest request; @@ -65,6 +62,28 @@ public class WebSSOResource { @Context private HttpServletResponse response; + @Context + ServletContext context; + + @PostConstruct + public void init() { + String secure = context.getInitParameter(SSO_COOKIE_SECURE_ONLY_INIT_PARAM); + if (secure != null) { + secureOnly = ("false".equals(secure) ? false : true); + log.cookieSecureOnly(secureOnly); + } + + String age = context.getInitParameter(SSO_COOKIE_MAX_AGE_INIT_PARAM); + if (age != null) { + try { + maxAge = Integer.parseInt(age); + } + catch (NumberFormatException nfe) { + log.invalidMaxAgeEncountered(age); + } + } + } + @GET @Produces({APPLICATION_JSON, APPLICATION_XML}) public Response doGet() { @@ -83,7 +102,7 @@ public class WebSSOResource { boolean removeOriginalUrlCookie = true; String original = getCookieValue((HttpServletRequest) request, ORIGINAL_URL_COOKIE_NAME); if (original == null) { - // in the case where there is no SAML redirects done before here + // in the case where there are no SAML redirects done before here // we need to get it from the request parameters removeOriginalUrlCookie = false; original = request.getParameter(ORIGINAL_URL_REQUEST_PARAM); @@ -92,7 +111,7 @@ public class WebSSOResource { throw new WebApplicationException("Original URL not found in the request.", Response.Status.BAD_REQUEST); } } - + JWTokenAuthority ts = services.getService(GatewayServices.TOKEN_SERVICE); Principal p = ((HttpServletRequest)request).getUserPrincipal(); @@ -120,7 +139,7 @@ public class WebSSOResource { return null; } - public void addJWTHadoopCookie(String original, JWT token) { + private void addJWTHadoopCookie(String original, JWT token) { log.addingJWTCookie(token.toString()); Cookie c = new Cookie(JWT_COOKIE_NAME, token.toString()); c.setPath("/"); @@ -128,8 +147,10 @@ public class WebSSOResource { String domain = getDomainName(original); c.setDomain(domain); c.setHttpOnly(true); - c.setSecure(true); - c.setMaxAge(120); + if (secureOnly) { + c.setSecure(true); + } + c.setMaxAge(maxAge); response.addCookie(c); log.addedJWTCookie(); } @@ -146,7 +167,7 @@ public class WebSSOResource { response.addCookie(c); } - public String getDomainName(String url) throws URISyntaxException { + private String getDomainName(String url) throws URISyntaxException { URI uri = new URI(url); String domain = uri.getHost(); int idx = domain.indexOf('.'); http://git-wip-us.apache.org/repos/asf/knox/blob/02fea3a6/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/deploy/KnoxSSOServiceDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/deploy/KnoxSSOServiceDeploymentContributor.java b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/deploy/KnoxSSOServiceDeploymentContributor.java index 7dbd228..70abeaf 100644 --- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/deploy/KnoxSSOServiceDeploymentContributor.java +++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/deploy/KnoxSSOServiceDeploymentContributor.java @@ -19,9 +19,6 @@ package org.apache.hadoop.gateway.service.knoxsso.deploy; import org.apache.hadoop.gateway.jersey.JerseyServiceDeploymentContributorBase; -/** - * - */ public class KnoxSSOServiceDeploymentContributor extends JerseyServiceDeploymentContributorBase { /* (non-Javadoc) @@ -29,7 +26,6 @@ public class KnoxSSOServiceDeploymentContributor extends JerseyServiceDeployment */ @Override public String getRole() { - // TODO Auto-generated method stub return "KNOXSSO"; }