You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ma...@apache.org on 2013/06/07 12:34:35 UTC
svn commit: r1490572 - in /incubator/ambari/trunk: ambari-project/pom.xml
ambari-server/pom.xml
ambari-server/src/main/java/org/apache/ambari/server/security/SecurityFilter.java
Author: mahadev
Date: Fri Jun 7 10:34:34 2013
New Revision: 1490572
URL: http://svn.apache.org/r1490572
Log:
AMBARI-2283. SecurityFilter does not allow hostnames with non-alphabetic characters. (Ximo Guanter via mahadev)
Modified:
incubator/ambari/trunk/ambari-project/pom.xml
incubator/ambari/trunk/ambari-server/pom.xml
incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/SecurityFilter.java
Modified: incubator/ambari/trunk/ambari-project/pom.xml
URL: http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-project/pom.xml?rev=1490572&r1=1490571&r2=1490572&view=diff
==============================================================================
--- incubator/ambari/trunk/ambari-project/pom.xml (original)
+++ incubator/ambari/trunk/ambari-project/pom.xml Fri Jun 7 10:34:34 2013
@@ -148,6 +148,12 @@
<version>3.1.2.RELEASE</version>
</dependency>
<dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-mock</artifactId>
+ <version>2.0.8</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>3.1.2.RELEASE</version>
Modified: incubator/ambari/trunk/ambari-server/pom.xml
URL: http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-server/pom.xml?rev=1490572&r1=1490571&r2=1490572&view=diff
==============================================================================
--- incubator/ambari/trunk/ambari-server/pom.xml (original)
+++ incubator/ambari/trunk/ambari-server/pom.xml Fri Jun 7 10:34:34 2013
@@ -517,6 +517,11 @@
<artifactId>spring-security-web</artifactId>
</dependency>
<dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-mock</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
</dependency>
Modified: incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/SecurityFilter.java
URL: http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/SecurityFilter.java?rev=1490572&r1=1490571&r2=1490572&view=diff
==============================================================================
--- incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/SecurityFilter.java (original)
+++ incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/SecurityFilter.java Fri Jun 7 10:34:34 2013
@@ -19,6 +19,7 @@
package org.apache.ambari.server.security;
import java.io.IOException;
+import java.net.URL;
import java.util.regex.Pattern;
import javax.servlet.Filter;
@@ -49,18 +50,20 @@ public class SecurityFilter implements F
HttpServletRequest req = (HttpServletRequest) serReq;
String reqUrl = req.getRequestURL().toString();
-
- if (serReq.getLocalPort() == AmbariServer.AGENT_ONE_WAY_AUTH) {
+
+ LOG.debug("Filtering " + reqUrl + " for security purposes");
+ if (serReq.getLocalPort() != AmbariServer.AGENT_TWO_WAY_AUTH) {
if (isRequestAllowed(reqUrl)) {
filtCh.doFilter(serReq, serResp);
}
else {
- LOG.warn("This request is not allowed on this port");
+ LOG.warn("This request is not allowed on this port: " + reqUrl);
}
-
- }
- else
+ }
+ else {
+ LOG.debug("Request can continue on secure port " + serReq.getLocalPort());
filtCh.doFilter(serReq, serResp);
+ }
}
@Override
@@ -68,26 +71,30 @@ public class SecurityFilter implements F
}
private boolean isRequestAllowed(String reqUrl) {
- try {
+ try {
+ URL url = new URL(reqUrl);
+ if (!"https".equals(url.getProtocol())) {
+ LOG.warn(String.format("Request %s is not using HTTPS", reqUrl));
+ return false;
+ }
+
+ if (Pattern.matches("/cert/ca(/?)", url.getPath())) {
+ return true;
+ }
+
+ if (Pattern.matches("/certs/[^/0-9][^/]*", url.getPath())) {
+ return true;
+ }
+
+ if (Pattern.matches("/resources/.*", url.getPath())) {
+ return true;
+ }
- boolean isMatch = Pattern.matches("https://[A-z]*:[0-9]*/cert/ca[/]*", reqUrl);
-
- if (isMatch)
- return true;
-
- isMatch = Pattern.matches("https://[A-z]*:[0-9]*/certs/[A-z0-9-.]*", reqUrl);
-
- if (isMatch)
- return true;
-
- isMatch = Pattern.matches("https://[A-z]*:[0-9]*/resources/.*", reqUrl);
-
- if (isMatch)
- return true;
-
- } catch (Exception e) {
- }
- LOG.warn("Request " + reqUrl + " doesn't match any pattern.");
- return false;
+ } catch (Exception e) {
+ LOG.warn("Exception while validating if request is secure " +
+ e.toString());
+ }
+ LOG.warn("Request " + reqUrl + " doesn't match any pattern.");
+ return false;
}
}