You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2015/10/27 17:45:23 UTC
knox git commit: KNOX-615 Domain Cookies cannot Wildcard IP Addresses
Repository: knox
Updated Branches:
refs/heads/master 0a9f33b03 -> 9c65733f0
KNOX-615 Domain Cookies cannot Wildcard IP Addresses
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/9c65733f
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/9c65733f
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/9c65733f
Branch: refs/heads/master
Commit: 9c65733f0fb419e88b3ffc84714155555266952b
Parents: 0a9f33b
Author: Larry McCay <lm...@hortonworks.com>
Authored: Tue Oct 27 12:45:14 2015 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Tue Oct 27 12:45:14 2015 -0400
----------------------------------------------------------------------
gateway-service-knoxsso/pom.xml | 11 +++++-
.../gateway/service/knoxsso/WebSSOResource.java | 15 +++++++-
.../service/knoxsso/WebSSOResourceTest.java | 40 ++++++++++++++++++++
.../org/apache/hadoop/gateway/util/Urls.java | 12 ++++++
4 files changed, 75 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/9c65733f/gateway-service-knoxsso/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-service-knoxsso/pom.xml b/gateway-service-knoxsso/pom.xml
index a138ce6..b3c2d92 100644
--- a/gateway-service-knoxsso/pom.xml
+++ b/gateway-service-knoxsso/pom.xml
@@ -50,5 +50,14 @@
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>
- </dependencies>
+ <dependency>
+ <groupId>org.apache.knox</groupId>
+ <artifactId>gateway-test-utils</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.easymock</groupId>
+ <artifactId>easymock</artifactId>
+ <scope>test</scope>
+ </dependency> </dependencies>
</project>
http://git-wip-us.apache.org/repos/asf/knox/blob/9c65733f/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
----------------------------------------------------------------------
diff --git a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
index 644d650..475e39b 100644
--- a/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
+++ b/gateway-service-knoxsso/src/main/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResource.java
@@ -40,6 +40,7 @@ import org.apache.hadoop.gateway.services.GatewayServices;
import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority;
import org.apache.hadoop.gateway.services.security.token.TokenServiceException;
import org.apache.hadoop.gateway.services.security.token.impl.JWT;
+import org.apache.hadoop.gateway.util.Urls;
import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
import static javax.ws.rs.core.MediaType.APPLICATION_XML;
@@ -184,14 +185,24 @@ public class WebSSOResource {
response.addCookie(c);
}
- private String getDomainName(String url) throws URISyntaxException {
+ String getDomainName(String url) throws URISyntaxException {
URI uri = new URI(url);
String domain = uri.getHost();
+ // if accessing via ip address do not wildcard the cookie domain
+ if (Urls.isIp(domain)) {
+ return domain;
+ }
+ if (Urls.dotOccurrences(domain) < 2) {
+ if (!domain.startsWith(".")) {
+ domain = "." + domain;
+ }
+ return domain;
+ }
int idx = domain.indexOf('.');
if (idx == -1) {
idx = 0;
}
- return domain.startsWith("www.") ? domain.substring(4) : domain.substring(idx);
+ return domain.substring(idx);
}
private String getCookieValue(HttpServletRequest request, String name) {
http://git-wip-us.apache.org/repos/asf/knox/blob/9c65733f/gateway-service-knoxsso/src/test/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResourceTest.java
----------------------------------------------------------------------
diff --git a/gateway-service-knoxsso/src/test/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResourceTest.java b/gateway-service-knoxsso/src/test/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResourceTest.java
new file mode 100644
index 0000000..769e497
--- /dev/null
+++ b/gateway-service-knoxsso/src/test/java/org/apache/hadoop/gateway/service/knoxsso/WebSSOResourceTest.java
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.service.knoxsso;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+/**
+ *
+ */
+public class WebSSOResourceTest {
+ @Test
+ public void testDomainNameCreation() throws Exception {
+ WebSSOResource resource = new WebSSOResource();
+ // determine parent domain and wildcard the cookie domain with a dot prefix
+ Assert.assertTrue(resource.getDomainName("http://www.local.com").equals(".local.com"));
+ Assert.assertTrue(resource.getDomainName("http://ljm.local.com").equals(".local.com"));
+ Assert.assertTrue(resource.getDomainName("http://local.home").equals(".local.home"));
+ Assert.assertTrue(resource.getDomainName("http://localhost").equals(".localhost")); // chrome may not allow this
+ Assert.assertTrue(resource.getDomainName("http://local.home.test.com").equals(".home.test.com"));
+
+ // ip addresses can not be wildcarded - may be a completely different domain
+ Assert.assertTrue(resource.getDomainName("http://127.0.0.1").equals("127.0.0.1"));
+ }
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/9c65733f/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java
----------------------------------------------------------------------
diff --git a/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java b/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java
index b30a0ef..5255e3a 100644
--- a/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java
+++ b/gateway-util-common/src/main/java/org/apache/hadoop/gateway/util/Urls.java
@@ -17,6 +17,9 @@
*/
package org.apache.hadoop.gateway.util;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
/**
*
*/
@@ -54,4 +57,13 @@ public class Urls {
}
}
+ public static boolean isIp(String domain) {
+ Pattern p = Pattern.compile("^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$");
+ Matcher m = p.matcher(domain);
+ return m.find();
+ }
+
+ public static int dotOccurrences(String domain) {
+ return domain.length() - domain.replace(".", "").length();
+ }
}