Repository: knox Updated Branches: refs/heads/master c2635885d -> a6d4cbab6
KNOX-679 - Make ResponseCookieFilter Configurable Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/a6d4cbab Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/a6d4cbab Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/a6d4cbab Branch: refs/heads/master Commit: a6d4cbab6e36341ed0bc5eccabe49d1277271d74 Parents: c263588 Author: Larry McCay <lmc...@hortonworks.com> Authored: Tue Mar 8 13:59:56 2016 -0500 Committer: Larry McCay <lmc...@hortonworks.com> Committed: Tue Mar 8 13:59:56 2016 -0500 ---------------------------------------------------------------------- .../deploy/impl/ShiroDeploymentContributor.java | 32 +++++++++++++++++--- .../gateway/filter/ResponseCookieFilter.java | 30 ++++++++++-------- 2 files changed, 46 insertions(+), 16 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/a6d4cbab/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java index 04a194d..b050197 100644 --- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java +++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java @@ -21,12 +21,14 @@ import org.apache.hadoop.gateway.deploy.DeploymentContext; import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase; import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor; import org.apache.hadoop.gateway.descriptor.ResourceDescriptor; +import org.apache.hadoop.gateway.filter.ResponseCookieFilter; import org.apache.hadoop.gateway.topology.Provider; import org.apache.hadoop.gateway.topology.Service; import org.jboss.shrinkwrap.api.asset.StringAsset; import org.jboss.shrinkwrap.descriptor.api.webapp30.WebAppDescriptor; import org.jboss.shrinkwrap.descriptor.api.webcommon30.SessionConfigType; +import java.util.ArrayList; import java.util.List; import java.util.Map; @@ -37,6 +39,7 @@ public class ShiroDeploymentContributor extends ProviderDeploymentContributorBas private static final String POST_FILTER_CLASSNAME = "org.apache.hadoop.gateway.filter.ShiroSubjectIdentityAdapter"; private static final String COOKIE_FILTER_CLASSNAME = "org.apache.hadoop.gateway.filter.ResponseCookieFilter"; private static final String SESSION_TIMEOUT = "sessionTimeout"; + private static final String REMEMBER_ME = "rememberme"; private static final String SHRIO_CONFIG_FILE_NAME = "shiro.ini"; private static final int DEFAULT_SESSION_TIMEOUT = 30; // 30min @@ -88,7 +91,8 @@ public class ShiroDeploymentContributor extends ProviderDeploymentContributorBas } @Override - public void contributeFilter( DeploymentContext context, Provider provider, Service service, ResourceDescriptor resource, List<FilterParamDescriptor> params ) { + public void contributeFilter( DeploymentContext context, Provider provider, + Service service, ResourceDescriptor resource, List<FilterParamDescriptor> params ) { // Leveraging a third party filter is a primary usecase for Knox // in order to do so, we need to make sure that the end result of the third party integration // puts a standard javax.security.auth.Subject on the current thread through a doAs. @@ -97,8 +101,28 @@ public class ShiroDeploymentContributor extends ProviderDeploymentContributorBas // You may also need to do some additional processing of the response in order to not return cookies or other // filter specifics that are not needed for integration with Knox. Below we do that in the pre-processing filter. - resource.addFilter().name( "Pre" + getName() ).role( getRole() ).impl( COOKIE_FILTER_CLASSNAME ).params( params ); - resource.addFilter().name( getName() ).role( getRole() ).impl( SHIRO_FILTER_CLASSNAME ).params( params ); - resource.addFilter().name( "Post" + getName() ).role( getRole() ).impl( POST_FILTER_CLASSNAME ).params( params ); + if (params == null) { + params = new ArrayList<FilterParamDescriptor>(); + } + Map<String, String> providerParams = provider.getParams(); + String cookies = providerParams.get( ResponseCookieFilter.RESTRICTED_COOKIES ); + if (cookies == null) { + params.add( resource.createFilterParam() + .name( ResponseCookieFilter.RESTRICTED_COOKIES ) + .value( REMEMBER_ME ) ); + } + else { + params.add( resource.createFilterParam() + .name(ResponseCookieFilter.RESTRICTED_COOKIES ).value( cookies ) ); + } + + resource.addFilter().name( "Pre" + getName() ).role( + getRole() ).impl( COOKIE_FILTER_CLASSNAME ).params( params ); + params.clear(); + + resource.addFilter().name( getName() ).role( + getRole() ).impl( SHIRO_FILTER_CLASSNAME ).params( params ); + resource.addFilter().name( "Post" + getName() ).role( + getRole() ).impl( POST_FILTER_CLASSNAME ).params( params ); } } http://git-wip-us.apache.org/repos/asf/knox/blob/a6d4cbab/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java index 4d31e10..28af445 100644 --- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java +++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java @@ -19,6 +19,7 @@ package org.apache.hadoop.gateway.filter; import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; @@ -29,8 +30,19 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.List; - public class ResponseCookieFilter extends AbstractGatewayFilter { + public static final String RESTRICTED_COOKIES = "restrictedCookies"; + + protected static List<String> restrictedCookies = new ArrayList<String>(); + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + super.init(filterConfig); + String cookies = filterConfig.getInitParameter(RESTRICTED_COOKIES); + if (cookies != null) { + restrictedCookies = Arrays.asList(cookies.split(",")); + } + } @Override protected void doFilter( HttpServletRequest request, HttpServletResponse response, FilterChain chain ) throws IOException, ServletException { @@ -40,32 +52,31 @@ public class ResponseCookieFilter extends AbstractGatewayFilter { // inner class wraps response to prevent adding of not allowed headers private class ResponseWrapper extends HttpServletResponseWrapper { - public ResponseWrapper( HttpServletResponse response ) { super( response ); } public void addCookie( Cookie cookie ) { - if( cookie != null && isAllowedHeaderValue( cookie.getValue() ) ) { + if( cookie != null && isAllowedHeader( cookie.getName() ) ) { super.addCookie( cookie ); } } public void setHeader( String name, String value ) { - if( isAllowedHeaderValue( value ) ) { + if( isAllowedHeader( name ) ) { super.setHeader( name, value ); } } public void addHeader( String name, String value ) { - if( isAllowedHeaderValue( value ) ) { + if( isAllowedHeader( name ) ) { super.addHeader( name, value ); } } - private boolean isAllowedHeaderValue( String value ) { + private boolean isAllowedHeader( String value ) { if( value != null ) { - for( String v : restrictedCookieValues ) { + for( String v : restrictedCookies ) { if( value.contains( v ) ) { return false; } @@ -74,9 +85,4 @@ public class ResponseCookieFilter extends AbstractGatewayFilter { return true; } } - - private final static List<String> restrictedCookieValues = new ArrayList<String>( - Arrays.asList( "rememberMe" ) - ); - }