You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ma...@apache.org on 2013/06/07 12:34:35 UTC
svn commit: r1490572 - in /incubator/ambari/trunk: ambari-project/pom.xml ambari-server/pom.xml ambari-server/src/main/java/org/apache/ambari/server/security/SecurityFilter.java

Author: mahadev
Date: Fri Jun  7 10:34:34 2013
New Revision: 1490572

URL: http://svn.apache.org/r1490572
Log:
AMBARI-2283. SecurityFilter does not allow hostnames with non-alphabetic characters. (Ximo Guanter via mahadev)

Modified:
    incubator/ambari/trunk/ambari-project/pom.xml
    incubator/ambari/trunk/ambari-server/pom.xml
    incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/SecurityFilter.java

Modified: incubator/ambari/trunk/ambari-project/pom.xml
URL: http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-project/pom.xml?rev=1490572&r1=1490571&r2=1490572&view=diff
==============================================================================
--- incubator/ambari/trunk/ambari-project/pom.xml (original)
+++ incubator/ambari/trunk/ambari-project/pom.xml Fri Jun  7 10:34:34 2013
@@ -148,6 +148,12 @@
         <version>3.1.2.RELEASE</version>
       </dependency>
       <dependency>
+        <groupId>org.springframework</groupId>
+        <artifactId>spring-mock</artifactId>
+        <version>2.0.8</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-ldap</artifactId>
         <version>3.1.2.RELEASE</version>

Modified: incubator/ambari/trunk/ambari-server/pom.xml
URL: http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-server/pom.xml?rev=1490572&r1=1490571&r2=1490572&view=diff
==============================================================================
--- incubator/ambari/trunk/ambari-server/pom.xml (original)
+++ incubator/ambari/trunk/ambari-server/pom.xml Fri Jun  7 10:34:34 2013
@@ -517,6 +517,11 @@
       <artifactId>spring-security-web</artifactId>
     </dependency>
     <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-mock</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-ldap</artifactId>
     </dependency>

Modified: incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/SecurityFilter.java
URL: http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/SecurityFilter.java?rev=1490572&r1=1490571&r2=1490572&view=diff
==============================================================================
--- incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/SecurityFilter.java (original)
+++ incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/SecurityFilter.java Fri Jun  7 10:34:34 2013
@@ -19,6 +19,7 @@
 package org.apache.ambari.server.security;
 
 import java.io.IOException;
+import java.net.URL;
 import java.util.regex.Pattern;
 
 import javax.servlet.Filter;
@@ -49,18 +50,20 @@ public class SecurityFilter implements F
 
     HttpServletRequest req = (HttpServletRequest) serReq;
     String reqUrl = req.getRequestURL().toString();
-	
-    if (serReq.getLocalPort() == AmbariServer.AGENT_ONE_WAY_AUTH) {
+
+    LOG.debug("Filtering " + reqUrl + " for security purposes");
+    if (serReq.getLocalPort() != AmbariServer.AGENT_TWO_WAY_AUTH) {
       if (isRequestAllowed(reqUrl)) {
         filtCh.doFilter(serReq, serResp);
       }
       else {
-        LOG.warn("This request is not allowed on this port");
+        LOG.warn("This request is not allowed on this port: " + reqUrl);
       }
-
-	}
-	else
+    }
+	  else {
+      LOG.debug("Request can continue on secure port " + serReq.getLocalPort());
       filtCh.doFilter(serReq, serResp);
+    }
   }
 
   @Override
@@ -68,26 +71,30 @@ public class SecurityFilter implements F
   }
 
   private boolean isRequestAllowed(String reqUrl) {
-	try {
+    try {
+      URL url = new URL(reqUrl);
+      if (!"https".equals(url.getProtocol())) {
+        LOG.warn(String.format("Request %s is not using HTTPS", reqUrl));
+        return false;
+      }
+
+      if (Pattern.matches("/cert/ca(/?)", url.getPath())) {
+        return true;
+      }
+
+      if (Pattern.matches("/certs/[^/0-9][^/]*", url.getPath())) {
+        return true;
+      }
+
+      if (Pattern.matches("/resources/.*", url.getPath())) {
+        return true;
+      }
 
-      boolean isMatch = Pattern.matches("https://[A-z]*:[0-9]*/cert/ca[/]*", reqUrl);
-		
-      if (isMatch)
-    	  return true;
-		
-		 isMatch = Pattern.matches("https://[A-z]*:[0-9]*/certs/[A-z0-9-.]*", reqUrl);
-		
-		 if (isMatch)
-			 return true;
-		
-		 isMatch = Pattern.matches("https://[A-z]*:[0-9]*/resources/.*", reqUrl);
-		
-		 if (isMatch)
-			 return true;
-		
-	} catch (Exception e) {
-	}
-  LOG.warn("Request " + reqUrl + " doesn't match any pattern.");
-	return false;
+    } catch (Exception e) {
+      LOG.warn("Exception while validating if request is secure " +
+        e.toString());
+    }
+    LOG.warn("Request " + reqUrl + " doesn't match any pattern.");
+    return false;
   }
 }