You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/12/04 02:34:45 UTC
[3/6] incubator-ranger git commit: RANGER-759 : Fix Ranger Knox SSO
logout/session expired issues
RANGER-759 : Fix Ranger Knox SSO logout/session expired issues
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/10d755ac
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/10d755ac
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/10d755ac
Branch: refs/heads/tag-policy
Commit: 10d755acd15d4b7a604571838559eca0e9f44150
Parents: af8377f
Author: Gautam Borad <ga...@apache.org>
Authored: Wed Dec 2 14:23:10 2015 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Thu Dec 3 09:02:08 2015 +0530
----------------------------------------------------------------------
.../CustomLogoutSuccessHandler.java | 2 ++
.../RangerAuthenticationEntryPoint.java | 1 +
.../filter/RangerSSOAuthenticationFilter.java | 33 ++++++++++++++------
.../webapp/scripts/views/common/ProfileBar.js | 25 ++++++++-------
4 files changed, 39 insertions(+), 22 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
index 6a91834..237fb50 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
@@ -43,6 +43,8 @@ public class CustomLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler
HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
+ request.getServletContext().removeAttribute(request.getRequestedSessionId());
+
response.setContentType("application/json;charset=UTF-8");
response.setHeader("Cache-Control", "no-cache");
response.setHeader("X-Frame-Options", "DENY");
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
index 0b61498..b3d59eb 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
@@ -133,6 +133,7 @@ public class RangerAuthenticationEntryPoint extends
if(requestURL.contains(RangerSSOAuthenticationFilter.LOCAL_LOGIN_URL)){
if (request.getSession() != null)
request.getSession().setAttribute("locallogin","true");
+ request.getServletContext().setAttribute(request.getSession().getId(), "locallogin");
}
super.commence(request, response, authException);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
index af3c58a..f79db6b 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
@@ -108,26 +108,37 @@ public class RangerSSOAuthenticationFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)throws IOException, ServletException {
+ HttpServletRequest httpRequest = (HttpServletRequest)servletRequest;
+ if (httpRequest.getRequestedSessionId() != null && !httpRequest.isRequestedSessionIdValid())
+ {
+ if(httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()) != null && httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()).toString().equals("locallogin")){
+ ssoEnabled = false;
+ httpRequest.getSession().setAttribute("locallogin","true");
+ httpRequest.getServletContext().removeAttribute(httpRequest.getRequestedSessionId());
+ }
+ }
+
RangerSecurityContext context = RangerContextHolder.getSecurityContext();
UserSessionBase session = context != null ? context.getUserSession() : null;
ssoEnabled = session != null ? session.isSSOEnabled() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
- String userAgent = ((HttpServletRequest)servletRequest).getHeader("User-Agent");
- if(((HttpServletRequest) servletRequest).getSession() != null){
- if(((HttpServletRequest) servletRequest).getSession().getAttribute("locallogin") != null){
+ String userAgent = httpRequest.getHeader("User-Agent");
+ if(httpRequest.getSession() != null){
+ if(httpRequest.getSession().getAttribute("locallogin") != null){
ssoEnabled = false;
servletRequest.setAttribute("ssoEnabled", false);
filterChain.doFilter(servletRequest, servletResponse);
return;
}
- }
+ }
+
//If sso is enable and request is not for local login and is from browser then it will go inside and try for knox sso authentication
- if (ssoEnabled && !((HttpServletRequest) servletRequest).getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent)) {
+ if (ssoEnabled && !httpRequest.getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent)) {
//if jwt properties are loaded and is current not authenticated then it will go for sso authentication
+ //Note : Need to remove !isAuthenticated() after knoxsso solve the bug from cross-origin script
if (jwtProperties != null && !isAuthenticated()) {
- HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
- String serializedJWT = getJWTFromCookie(httpServletRequest);
+ String serializedJWT = getJWTFromCookie(httpRequest);
// if we get the hadoop-jwt token from the cookies then will process it further
if (serializedJWT != null) {
SignedJWT jwtToken = null;
@@ -144,9 +155,11 @@ public class RangerSSOAuthenticationFilter implements Filter {
if (userName != null && !userName.trim().isEmpty()) {
final List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
+ grantedAuths.add(new SimpleGrantedAuthority("ROLE_SYS_ADMIN"));
+ grantedAuths.add(new SimpleGrantedAuthority("ROLE_KEY_ADMIN"));
final UserDetails principal = new User(userName, "",grantedAuths);
final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths);
- WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpServletRequest);
+ WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpRequest);
((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails);
RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider();
authenticationProvider.setSsoEnabled(ssoEnabled);
@@ -158,7 +171,7 @@ public class RangerSSOAuthenticationFilter implements Filter {
}
// if the token is not valid then redirect to knox sso
else {
- String ssourl = constructLoginURL(httpServletRequest);
+ String ssourl = constructLoginURL(httpRequest);
if(LOG.isDebugEnabled())
LOG.debug("SSO URL = " + ssourl);
httpServletResponse.sendRedirect(ssourl);
@@ -169,7 +182,7 @@ public class RangerSSOAuthenticationFilter implements Filter {
}
// if the jwt token is not available then redirect it to knox sso
else {
- String ssourl = constructLoginURL(httpServletRequest);
+ String ssourl = constructLoginURL(httpRequest);
if(LOG.isDebugEnabled())
LOG.debug("SSO URL = " + ssourl);
httpServletResponse.sendRedirect(ssourl);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
index 0bb9648..c6301c3 100644
--- a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
+++ b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
@@ -49,10 +49,10 @@ define(function(require){
events: function() {
var events = {};
//events['change ' + this.ui.input] = 'onInputChange';
- events['click ' + this.ui.logout] = 'onLogout';
+ events['click ' + this.ui.logout] = 'checkKnoxSSO';
return events;
},
- onLogout : function(){
+ onLogout : function(checksso){
var url = 'security-admin-web/logout.html',
that = this;
$.ajax({
@@ -62,8 +62,15 @@ define(function(require){
"cache-control" : "no-cache"
},
success : function() {
- that.checkKnoxSSO()
-// window.location.replace('login.jsp');
+ if(!_.isUndefined(checksso) && checksso){
+ if(checksso == 'false'){
+ window.location.replace('locallogin');
+ }else{
+ window.location.replace('');
+ }
+ } else {
+ window.location.replace('login.jsp');
+ }
},
error : function(jqXHR, textStatus, err ) {
}
@@ -71,7 +78,7 @@ define(function(require){
});
},
checkKnoxSSO : function(){
- var url = 'service/plugins/checksso';
+ var that =this, url = 'service/plugins/checksso';
$.ajax({
url : url,
type : 'GET',
@@ -79,19 +86,13 @@ define(function(require){
"cache-control" : "no-cache"
},
success : function(resp) {
- console.log(resp)
- if(!_.isUndefined(resp) && resp){
- window.location.replace('');
- } else {
- window.location.replace('login.jsp');
- }
+ that.onLogout(resp);
},
error : function(jqXHR, textStatus, err ) {
if( jqXHR.status == 419 ){
window.location.replace('login.jsp');
}
}
-
});
},
/**