You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@atlas.apache.org by ma...@apache.org on 2017/05/16 01:30:46 UTC

incubator-atlas git commit: ATLAS-1767: Support KNOX SSO Token based authentication on Atlas REST API calls

Repository: incubator-atlas
Updated Branches:
  refs/heads/master a0bb46387 -> d7a139e11


ATLAS-1767: Support KNOX SSO Token based authentication on Atlas REST API calls

Signed-off-by: Madhan Neethiraj <ma...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/d7a139e1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/d7a139e1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/d7a139e1

Branch: refs/heads/master
Commit: d7a139e11edd415786208f3c920da8a2f34d26c2
Parents: a0bb463
Author: nixonrodrigues <ni...@apache.org>
Authored: Wed May 3 19:58:04 2017 +0530
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon May 15 18:00:44 2017 -0700

----------------------------------------------------------------------
 .../AtlasKnoxSSOAuthenticationFilter.java       | 25 ++++++++++++++------
 1 file changed, 18 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/d7a139e1/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java
index c3219b9..d5fa003 100644
--- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java
@@ -28,6 +28,7 @@ import com.nimbusds.jose.crypto.RSASSAVerifier;
 import com.nimbusds.jwt.SignedJWT;
 import org.apache.atlas.ApplicationProperties;
 import org.apache.atlas.web.security.AtlasAuthenticationProvider;
+import org.apache.atlas.web.util.Servlets;
 import org.apache.commons.configuration.Configuration;
 import org.apache.commons.lang.StringUtils;
 import org.json.simple.JSONObject;
@@ -57,6 +58,7 @@ import java.security.interfaces.RSAPublicKey;
 import java.text.ParseException;
 import java.util.Date;
 import java.util.List;
+import org.apache.commons.lang.StringUtils;
 
 
 public class AtlasKnoxSSOAuthenticationFilter implements Filter {
@@ -69,6 +71,7 @@ public class AtlasKnoxSSOAuthenticationFilter implements Filter {
     public static final String JWT_ORIGINAL_URL_QUERY_PARAM = "atlas.sso.knox.query.param.originalurl";
     public static final String JWT_COOKIE_NAME_DEFAULT = "hadoop-jwt";
     public static final String JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT = "originalUrl";
+    public static final String DEFAULT_BROWSER_USERAGENT = "Mozilla,Opera,Chrome";
 
     private SSOAuthenticationProperties jwtProperties;
 
@@ -134,7 +137,7 @@ public class AtlasKnoxSSOAuthenticationFilter implements Filter {
             return;
         }
 
-        if (!isWebUserAgent(httpRequest.getHeader("User-Agent")) || jwtProperties == null || isAuthenticated()) {
+        if (jwtProperties == null || isAuthenticated()) {
             filterChain.doFilter(servletRequest, servletResponse);
             return;
         }
@@ -171,18 +174,24 @@ public class AtlasKnoxSSOAuthenticationFilter implements Filter {
 
                     filterChain.doFilter(servletRequest, httpServletResponse);
                 } else {  // if the token is not valid then redirect to knox sso
-                    redirectToKnox(httpRequest,httpServletResponse);
+                    redirectToKnox(httpRequest, httpServletResponse, filterChain);
                 }
             } catch (ParseException e) {
                 LOG.warn("Unable to parse the JWT token", e);
+                redirectToKnox(httpRequest, httpServletResponse, filterChain);
             }
         } else {
-            redirectToKnox(httpRequest,httpServletResponse);
+            redirectToKnox(httpRequest, httpServletResponse, filterChain);
         }
 
     }
 
-    private void redirectToKnox(HttpServletRequest httpRequest, HttpServletResponse httpServletResponse) throws IOException {
+    private void redirectToKnox(HttpServletRequest httpRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
+
+        if (!isWebUserAgent(httpRequest.getHeader("User-Agent"))) {
+            filterChain.doFilter(httpRequest, httpServletResponse);
+            return;
+        }
 
         String ajaxRequestHeader = httpRequest.getHeader("X-Requested-With");
 
@@ -403,9 +412,11 @@ public class AtlasKnoxSSOAuthenticationFilter implements Filter {
             jwtProperties.setAuthenticationProviderUrl(providerUrl);
             jwtProperties.setCookieName(configuration.getString(JWT_COOKIE_NAME, JWT_COOKIE_NAME_DEFAULT));
             jwtProperties.setOriginalUrlQueryParam(configuration.getString(JWT_ORIGINAL_URL_QUERY_PARAM, JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT));
-            String userAgent = configuration.getString(BROWSER_USERAGENT);
-            if (userAgent != null && !userAgent.isEmpty()) {
-                jwtProperties.setUserAgentList(userAgent.split(","));
+            String[] userAgent = configuration.getStringArray(BROWSER_USERAGENT);
+            if (userAgent != null && userAgent.length > 0) {
+                jwtProperties.setUserAgentList(userAgent);
+            } else {
+                jwtProperties.setUserAgentList(DEFAULT_BROWSER_USERAGENT.split(","));
             }
             try {
                 RSAPublicKey publicKey = parseRSAPublicKey(publicKeyPathStr);