You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2015/12/10 21:22:11 UTC

[jira] [Commented] (KNOX-640) Make Cookie Domain Configurable

    [ https://issues.apache.org/jira/browse/KNOX-640?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15051580#comment-15051580 ] 

Larry McCay commented on KNOX-640:
----------------------------------

I've had the opportunity to play around with this issue a bit and found:

1. default domains - when one isn't set by KnoxSSO a default domain used
2. rather than setting a domain for things like ip addresses we should just not set one
3. if a domainSuffix is configured then it can explicitly represent the intention for supporting subdomains for that configured domain
4. if an ip address or localhost is being used then it is fine to limit cookie domain to that particular host (local dev environment)

I am going to change the behavior to first check whether there is a matching domainSuffix. If there is take that as the cookie domain.
If there isn't and the requests hostname is an ip address don't set one and accept the default domain.
If there is fewer than 2 dots in a hostname then don't set one and accept the default.
If there are greater than 2 then strip the first element of the hostname and use the remainder (with leading dot) as the cookie domain.

Tests will be updated to ensure the expected behavior.
This may require folks that are working from master to need additional config to get their previous behavior.

> Make Cookie Domain Configurable
> -------------------------------
>
>                 Key: KNOX-640
>                 URL: https://issues.apache.org/jira/browse/KNOX-640
>             Project: Apache Knox
>          Issue Type: Sub-task
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 0.7.0, 0.8.0
>
>
> In order to provide sufficient control to the administrator that is setting up KnoxSSO, we need to make sure that the cookie domain can be deterministic.
> Current implementation tries to derive the domain from the incoming request hostname which ends up being insufficient in certain usecase. OpenStack environments for instance use hostnames that are hard to tell apart from domains. This causes the domain algorithm to calculate an inappropriate one which results in the cookie not being presented to all intended parties.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)