[ 
https://issues.apache.org/jira/browse/KNOX-3001?focusedWorklogId=900405&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-900405
 ]

ASF GitHub Bot logged work on KNOX-3001:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 18/Jan/24 10:39
            Start Date: 18/Jan/24 10:39
    Worklog Time Spent: 10m 
      Work Description: smolnar82 merged PR #834:
URL: https://github.com/apache/knox/pull/834




Issue Time Tracking
-------------------

    Worklog Id:     (was: 900405)
    Time Spent: 1h  (was: 50m)

> Avoid double XML escaping in SimpleDescriptorHandler
> ----------------------------------------------------
>
>                 Key: KNOX-3001
>                 URL: https://issues.apache.org/jira/browse/KNOX-3001
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 2.1.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 2.1.0
>
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> KNOX-2804 added a beneficial improvement in Knox's logic when dealing with 
> JSON files and turned them into XML topologies: before the generated topology 
> persisted, the possible values are XML-escaped to avoid errors in SAXParser.
> However, this might cause backward-compatible issues in deployments, where 
> the data in the given shared provider config or descriptor is already given 
> in XML-friendy way.
> For instance, using the following shared provider config will result in a bad 
> XML topology:
> {noformat}
> {
>   "providers" : [ {
>     "role" : "webappsec",
>     "name" : "WebAppSec",
>     "enabled" : true,
>     "params" : {
>       "xframe.options.enabled" : "true"
>     }
>   }, {
>     "role" : "authentication",
>     "name" : "ShiroProvider",
>     "enabled" : true,
>     "params" : {
>       "main.ldapContextFactory" : 
> "org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory",
>       "main.ldapRealm" : "org.apache.knox.gateway.shirorealm.KnoxLdapRealm",
>       "main.ldapRealm.authenticationCachingEnabled" : "false",
>       "main.ldapRealm.contextFactory" : "$ldapContextFactory",
>       "main.ldapRealm.contextFactory.authenticationMechanism" : "simple",
>       "main.ldapRealm.contextFactory.url" : "ldap://localhost:33389";,
>       "main.ldapRealm.userDnTemplate" : 
> "uid=0ou=people,dc=hadoop,dc=apache,dc=org",
>       "main.ldapRealm.userSearchFilter" : 
> "(&(&(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))",
>       "redirectToUrl" : "/${GATEWAY_PATH}/knoxsso/knoxauth/login.html",
>       "restrictedCookies" : "rememberme,WWW-Authenticate",
>       "sessionTimeout" : "30",
>       "urls./**" : "authcBasic"
>     }
>   }, {
>     "role" : "identity-assertion",
>     "name" : "Default",
>     "enabled" : true,
>     "params" : { }
>   } ],
>   "readOnly" : true
> } {noformat}
> The generated XML:
> {noformat}
> <?xml version="1.0" encoding="utf-8"?>
> <!--==============================================-->
> <!-- DO NOT EDIT. This is an auto-generated file. -->
> <!--==============================================-->
> <topology>
>     <generated>true</generated>
>     <gateway>
>         <provider>
>             <role>webappsec</role>
>             <name>WebAppSec</name>
>             <enabled>true</enabled>
>             <param>
>                 <name>xframe.options.enabled</name>
>                 <value>true</value>
>             </param>
>         </provider>
>         <provider>
>             <role>authentication</role>
>             <name>ShiroProvider</name>
>             <enabled>true</enabled>
>             <param>
>                 <name>main.ldapContextFactory</name>
>                 
> <value>org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory</value>
>             </param>
>             <param>
>                 <name>main.ldapRealm</name>
>                 
> <value>org.apache.knox.gateway.shirorealm.KnoxLdapRealm</value>
>             </param>
>             <param>
>                 <name>main.ldapRealm.authenticationCachingEnabled</name>
>                 <value>false</value>
>             </param>
>             <param>
>                 <name>main.ldapRealm.contextFactory</name>
>                 <value>$ldapContextFactory</value>
>             </param>
>             <param>
>                 
> <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
>                 <value>simple</value>
>             </param>
>             <param>
>                 <name>main.ldapRealm.contextFactory.url</name>
>                 <value>ldap://localhost:33389</value>
>             </param>
>             <param>
>                 <name>main.ldapRealm.userDnTemplate</name>
>                 <value>uid=0ou=people,dc=hadoop,dc=apache,dc=org</value>
>             </param>
>             <param>
>                 <name>main.ldapRealm.userSearchFilter</name>
>                 
> <value>(&amp;amp;(&amp;amp;(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))</value>
>             </param>
>             <param>
>                 <name>redirectToUrl</name>
>                 <value>/${GATEWAY_PATH}/knoxsso/knoxauth/login.html</value>
>             </param>
>             <param>
>                 <name>restrictedCookies</name>
>                 <value>rememberme,WWW-Authenticate</value>
>             </param>
>             <param>
>                 <name>sessionTimeout</name>
>                 <value>30</value>
>             </param>
>             <param>
>                 <name>urls./**</name>
>                 <value>authcBasic</value>
>             </param>
>         </provider>
>         <provider>
>             <role>identity-assertion</role>
>             <name>Default</name>
>             <enabled>true</enabled>
>         </provider>
>     </gateway>    <service>
>         <role>KNOXSSO</role>
>         <param>
>             <name>knoxsso.token.ttl</name>
>             <value>86400000</value>
>         </param>
>         <param>
>             <name>knoxsso.token.sigalg</name>
>             <value></value>
>         </param>
>         <param>
>             <name>knoxsso.redirect.whitelist.regex</name>
>             
> <value>^https?:\/\/(.*smolnar\.root\.xyz\.com)(?::[0-9]+)?(?:\/.*)?$</value>
>         </param>
>     </service>
>     <application>
>         <name>knoxauth</name>
>     </application>
> </topology> {noformat}
> As you can see, the value of {{main.ldapRealm.userSearchFilter}} is 
> double-escaped that makes the topology invalid.
> Moreover, the previously added XML escape function is meant for XML 1.1 
> documents whereas this code generates XML 1.0, so that this should be changed 
> too.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to