[
https://issues.apache.org/jira/browse/METRON-1895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16707226#comment-16707226
]
ASF GitHub Bot commented on METRON-1895:
----------------------------------------
Github user justinleet commented on a diff in the pull request:
https://github.com/apache/metron/pull/1281#discussion_r237919747
--- Diff:
metron-interface/metron-rest/src/main/java/org/apache/metron/rest/config/KnoxSSOAuthenticationFilter.java
---
@@ -0,0 +1,314 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.metron.rest.config;
+
+import com.nimbusds.jose.JWSObject;
+import com.nimbusds.jose.JWSVerifier;
+import com.nimbusds.jose.crypto.RSASSAVerifier;
+import com.nimbusds.jwt.SignedJWT;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.ldap.core.AttributesMapper;
+import org.springframework.ldap.core.LdapTemplate;
+import org.springframework.ldap.support.LdapNameBuilder;
+import
org.springframework.security.authentication.AbstractAuthenticationToken;
+import
org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import
org.springframework.security.web.authentication.WebAuthenticationDetails;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.PublicKey;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPublicKey;
+import java.text.ParseException;
+import java.util.Date;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import static org.springframework.ldap.query.LdapQueryBuilder.query;
+
+/**
+ * This class is a Servlet Filter that authenticates a Knox SSO token.
The token is stored in a cookie and is
+ * verified against a public Knox key. The token expiration and begin
time are also validated. Upon successful validation,
+ * a Spring Authentication object is built from the user name and user
groups queried from LDAP. Currently, user groups are
+ * mapped directly to Spring roles and prepended with "ROLE_".
+ */
+public class KnoxSSOAuthenticationFilter implements Filter {
+ private static final Logger LOG =
LoggerFactory.getLogger(KnoxSSOAuthenticationFilter.class);
+
+ private String userSearchBase;
+ private Path knoxKeyFile;
+ private String knoxKeyString;
+ private String knoxCookie;
+ private LdapTemplate ldapTemplate;
+
+ public KnoxSSOAuthenticationFilter(String userSearchBase,
+ Path knoxKeyFile,
+ String knoxKeyString,
+ String knoxCookie,
+ LdapTemplate ldapTemplate) throws
IOException, CertificateException {
+ this.userSearchBase = userSearchBase;
+ this.knoxKeyFile = knoxKeyFile;
+ this.knoxKeyString = knoxKeyString;
+ this.knoxCookie = knoxCookie;
+ if (ldapTemplate == null) {
+ throw new IllegalStateException("KnoxSSO requires LDAP. You must add
'ldap' to the active profiles.");
+ }
+ this.ldapTemplate = ldapTemplate;
+ }
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ }
+
+ @Override
+ public void destroy() {
+ }
+
+ /**
+ * Extracts the Knox token from the configured cookie. If basic
authentication headers are present, SSO authentication
+ * is skipped.
+ * @param request
+ * @param response
+ * @param chain
+ * @throws IOException
+ * @throws ServletException
+ */
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
--- End diff --
Several of the Exceptions throughout the class don't get thrown. Can you
drop them from the method sigs?
> Add Knox SSO as an option in Metron
> -----------------------------------
>
> Key: METRON-1895
> URL: https://issues.apache.org/jira/browse/METRON-1895
> Project: Metron
> Issue Type: New Feature
> Reporter: Ryan Merriman
> Priority: Major
>
> This feature will enable accessing Metron REST and the UIs through Knox's SSO
> mechanism.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
