[jira] [Created] (KNOX-3001) XML escaping should be configurable in SimpleDescriptorHandle

Wed, 17 Jan 2024 05:05:05 -0800 

Sandor Molnar created KNOX-3001:
-----------------------------------

             Summary: XML escaping should be configurable in 
SimpleDescriptorHandle
                 Key: KNOX-3001
                 URL: https://issues.apache.org/jira/browse/KNOX-3001
             Project: Apache Knox
          Issue Type: Improvement
          Components: Server
    Affects Versions: 2.1.0
            Reporter: Sandor Molnar
            Assignee: Sandor Molnar
             Fix For: 2.1.0


KNOX-2804 added a beneficial improvement in Knox's logic when dealing with JSON 
files and turned them into XML topologies: before the generated topology 
persisted, the possible values are XML-escaped to avoid errors in SAXParser.

However, this might cause backward-compatible issues in deployments, where the 
data in the given shared provider config or descriptor is already given in 
XML-friendy way.

For instance, using the following shared provider config will result in a bad 
XML topology:
{noformat}
{
  "providers" : [ {
    "role" : "webappsec",
    "name" : "WebAppSec",
    "enabled" : true,
    "params" : {
      "xframe.options.enabled" : "true"
    }
  }, {
    "role" : "authentication",
    "name" : "ShiroProvider",
    "enabled" : true,
    "params" : {
      "main.ldapContextFactory" : 
"org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory",
      "main.ldapRealm" : "org.apache.knox.gateway.shirorealm.KnoxLdapRealm",
      "main.ldapRealm.authenticationCachingEnabled" : "false",
      "main.ldapRealm.contextFactory" : "$ldapContextFactory",
      "main.ldapRealm.contextFactory.authenticationMechanism" : "simple",
      "main.ldapRealm.contextFactory.url" : "ldap://localhost:33389";,
      "main.ldapRealm.userDnTemplate" : 
"uid=0ou=people,dc=hadoop,dc=apache,dc=org",
      "main.ldapRealm.userSearchFilter" : 
"(&(&(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))",
      "redirectToUrl" : "/${GATEWAY_PATH}/knoxsso/knoxauth/login.html",
      "restrictedCookies" : "rememberme,WWW-Authenticate",
      "sessionTimeout" : "30",
      "urls./**" : "authcBasic"
    }
  }, {
    "role" : "identity-assertion",
    "name" : "Default",
    "enabled" : true,
    "params" : { }
  } ],
  "readOnly" : true
} {noformat}
The generated XML:
{noformat}
<?xml version="1.0" encoding="utf-8"?>
<!--==============================================-->
<!-- DO NOT EDIT. This is an auto-generated file. -->
<!--==============================================-->
<topology>
    <generated>true</generated>
    <gateway>
        <provider>
            <role>webappsec</role>
            <name>WebAppSec</name>
            <enabled>true</enabled>
            <param>
                <name>xframe.options.enabled</name>
                <value>true</value>
            </param>
        </provider>
        <provider>
            <role>authentication</role>
            <name>ShiroProvider</name>
            <enabled>true</enabled>
            <param>
                <name>main.ldapContextFactory</name>
                
<value>org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory</value>
            </param>
            <param>
                <name>main.ldapRealm</name>
                <value>org.apache.knox.gateway.shirorealm.KnoxLdapRealm</value>
            </param>
            <param>
                <name>main.ldapRealm.authenticationCachingEnabled</name>
                <value>false</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory</name>
                <value>$ldapContextFactory</value>
            </param>
            <param>
                
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
                <value>simple</value>
            </param>
            <param>
                <name>main.ldapRealm.contextFactory.url</name>
                <value>ldap://localhost:33389</value>
            </param>
            <param>
                <name>main.ldapRealm.userDnTemplate</name>
                <value>uid=0ou=people,dc=hadoop,dc=apache,dc=org</value>
            </param>
            <param>
                <name>main.ldapRealm.userSearchFilter</name>
                
<value>(&amp;amp;(&amp;amp;(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))</value>
            </param>
            <param>
                <name>redirectToUrl</name>
                <value>/${GATEWAY_PATH}/knoxsso/knoxauth/login.html</value>
            </param>
            <param>
                <name>restrictedCookies</name>
                <value>rememberme,WWW-Authenticate</value>
            </param>
            <param>
                <name>sessionTimeout</name>
                <value>30</value>
            </param>
            <param>
                <name>urls./**</name>
                <value>authcBasic</value>
            </param>
        </provider>
        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
        </provider>
    </gateway>    <service>
        <role>KNOXSSO</role>
        <param>
            <name>knoxsso.token.ttl</name>
            <value>86400000</value>
        </param>
        <param>
            <name>knoxsso.token.sigalg</name>
            <value></value>
        </param>
        <param>
            <name>knoxsso.redirect.whitelist.regex</name>
            
<value>^https?:\/\/(.*smolnar\.root\.xyz\.com)(?::[0-9]+)?(?:\/.*)?$</value>
        </param>
    </service>
    <application>
        <name>knoxauth</name>
    </application>
</topology> {noformat}
As you can see, the value of {{main.ldapRealm.userSearchFilter}} is 
double-escaped that makes the topology invalid.

Moreover, the previously added XML escape function is meant for XML 1.1 
documents whereas this code generates XML 1.0, so that this should be changed 
too.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to