You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2016/03/08 20:00:08 UTC
knox git commit: KNOX-679 - Make ResponseCookieFilter Configurable
Repository: knox
Updated Branches:
refs/heads/master c2635885d -> a6d4cbab6
KNOX-679 - Make ResponseCookieFilter Configurable
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/a6d4cbab
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/a6d4cbab
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/a6d4cbab
Branch: refs/heads/master
Commit: a6d4cbab6e36341ed0bc5eccabe49d1277271d74
Parents: c263588
Author: Larry McCay <lm...@hortonworks.com>
Authored: Tue Mar 8 13:59:56 2016 -0500
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Tue Mar 8 13:59:56 2016 -0500
----------------------------------------------------------------------
.../deploy/impl/ShiroDeploymentContributor.java | 32 +++++++++++++++++---
.../gateway/filter/ResponseCookieFilter.java | 30 ++++++++++--------
2 files changed, 46 insertions(+), 16 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/a6d4cbab/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
index 04a194d..b050197 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/deploy/impl/ShiroDeploymentContributor.java
@@ -21,12 +21,14 @@ import org.apache.hadoop.gateway.deploy.DeploymentContext;
import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.filter.ResponseCookieFilter;
import org.apache.hadoop.gateway.topology.Provider;
import org.apache.hadoop.gateway.topology.Service;
import org.jboss.shrinkwrap.api.asset.StringAsset;
import org.jboss.shrinkwrap.descriptor.api.webapp30.WebAppDescriptor;
import org.jboss.shrinkwrap.descriptor.api.webcommon30.SessionConfigType;
+import java.util.ArrayList;
import java.util.List;
import java.util.Map;
@@ -37,6 +39,7 @@ public class ShiroDeploymentContributor extends ProviderDeploymentContributorBas
private static final String POST_FILTER_CLASSNAME = "org.apache.hadoop.gateway.filter.ShiroSubjectIdentityAdapter";
private static final String COOKIE_FILTER_CLASSNAME = "org.apache.hadoop.gateway.filter.ResponseCookieFilter";
private static final String SESSION_TIMEOUT = "sessionTimeout";
+ private static final String REMEMBER_ME = "rememberme";
private static final String SHRIO_CONFIG_FILE_NAME = "shiro.ini";
private static final int DEFAULT_SESSION_TIMEOUT = 30; // 30min
@@ -88,7 +91,8 @@ public class ShiroDeploymentContributor extends ProviderDeploymentContributorBas
}
@Override
- public void contributeFilter( DeploymentContext context, Provider provider, Service service, ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
+ public void contributeFilter( DeploymentContext context, Provider provider,
+ Service service, ResourceDescriptor resource, List<FilterParamDescriptor> params ) {
// Leveraging a third party filter is a primary usecase for Knox
// in order to do so, we need to make sure that the end result of the third party integration
// puts a standard javax.security.auth.Subject on the current thread through a doAs.
@@ -97,8 +101,28 @@ public class ShiroDeploymentContributor extends ProviderDeploymentContributorBas
// You may also need to do some additional processing of the response in order to not return cookies or other
// filter specifics that are not needed for integration with Knox. Below we do that in the pre-processing filter.
- resource.addFilter().name( "Pre" + getName() ).role( getRole() ).impl( COOKIE_FILTER_CLASSNAME ).params( params );
- resource.addFilter().name( getName() ).role( getRole() ).impl( SHIRO_FILTER_CLASSNAME ).params( params );
- resource.addFilter().name( "Post" + getName() ).role( getRole() ).impl( POST_FILTER_CLASSNAME ).params( params );
+ if (params == null) {
+ params = new ArrayList<FilterParamDescriptor>();
+ }
+ Map<String, String> providerParams = provider.getParams();
+ String cookies = providerParams.get( ResponseCookieFilter.RESTRICTED_COOKIES );
+ if (cookies == null) {
+ params.add( resource.createFilterParam()
+ .name( ResponseCookieFilter.RESTRICTED_COOKIES )
+ .value( REMEMBER_ME ) );
+ }
+ else {
+ params.add( resource.createFilterParam()
+ .name(ResponseCookieFilter.RESTRICTED_COOKIES ).value( cookies ) );
+ }
+
+ resource.addFilter().name( "Pre" + getName() ).role(
+ getRole() ).impl( COOKIE_FILTER_CLASSNAME ).params( params );
+ params.clear();
+
+ resource.addFilter().name( getName() ).role(
+ getRole() ).impl( SHIRO_FILTER_CLASSNAME ).params( params );
+ resource.addFilter().name( "Post" + getName() ).role(
+ getRole() ).impl( POST_FILTER_CLASSNAME ).params( params );
}
}
http://git-wip-us.apache.org/repos/asf/knox/blob/a6d4cbab/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java
index 4d31e10..28af445 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ResponseCookieFilter.java
@@ -19,6 +19,7 @@
package org.apache.hadoop.gateway.filter;
import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
@@ -29,8 +30,19 @@ import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
-
public class ResponseCookieFilter extends AbstractGatewayFilter {
+ public static final String RESTRICTED_COOKIES = "restrictedCookies";
+
+ protected static List<String> restrictedCookies = new ArrayList<String>();
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ super.init(filterConfig);
+ String cookies = filterConfig.getInitParameter(RESTRICTED_COOKIES);
+ if (cookies != null) {
+ restrictedCookies = Arrays.asList(cookies.split(","));
+ }
+ }
@Override
protected void doFilter( HttpServletRequest request, HttpServletResponse response, FilterChain chain ) throws IOException, ServletException {
@@ -40,32 +52,31 @@ public class ResponseCookieFilter extends AbstractGatewayFilter {
// inner class wraps response to prevent adding of not allowed headers
private class ResponseWrapper extends HttpServletResponseWrapper {
-
public ResponseWrapper( HttpServletResponse response ) {
super( response );
}
public void addCookie( Cookie cookie ) {
- if( cookie != null && isAllowedHeaderValue( cookie.getValue() ) ) {
+ if( cookie != null && isAllowedHeader( cookie.getName() ) ) {
super.addCookie( cookie );
}
}
public void setHeader( String name, String value ) {
- if( isAllowedHeaderValue( value ) ) {
+ if( isAllowedHeader( name ) ) {
super.setHeader( name, value );
}
}
public void addHeader( String name, String value ) {
- if( isAllowedHeaderValue( value ) ) {
+ if( isAllowedHeader( name ) ) {
super.addHeader( name, value );
}
}
- private boolean isAllowedHeaderValue( String value ) {
+ private boolean isAllowedHeader( String value ) {
if( value != null ) {
- for( String v : restrictedCookieValues ) {
+ for( String v : restrictedCookies ) {
if( value.contains( v ) ) {
return false;
}
@@ -74,9 +85,4 @@ public class ResponseCookieFilter extends AbstractGatewayFilter {
return true;
}
}
-
- private final static List<String> restrictedCookieValues = new ArrayList<String>(
- Arrays.asList( "rememberMe" )
- );
-
}