You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by mo...@apache.org on 2017/09/01 13:17:06 UTC
[08/64] [partial] knox git commit: KNOX-998 - Refactoring save 1
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkConf.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkConf.java b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkConf.java
new file mode 100644
index 0000000..5b3b6e0
--- /dev/null
+++ b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkConf.java
@@ -0,0 +1,194 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.picketlink.deploy;
+
+/**
+ * Provides a serializable configuration file for adding to
+ * the webapp as an XML string for picketlink.xml
+ *
+ */
+public class PicketlinkConf {
+ public static final String INDENT = " ";
+ public static final String LT_OPEN = "<";
+ public static final String LT_CLOSE = "</";
+ public static final String GT = ">";
+ public static final String GT_CLOSE = "/>";
+ public static final String NL = "\n";
+ public static final String PICKETLINK_XMLNS = "urn:picketlink:identity-federation:config:2.1";
+ public static final String PICKETLINK_SP_XMLNS = "urn:picketlink:identity-federation:config:1.0";
+ public static final String C14N_METHOD = "http://www.w3.org/2001/10/xml-exc-c14n#";
+ public static final String KEYPROVIDER_ELEMENT = "KeyProvider";
+ public static final String KEYPROVIDER_CLASSNAME = "org.picketlink.identity.federation.core.impl.KeyStoreKeyManager";
+ public static final String AUTH_HANDLER_CLASSNAME = "org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler";
+ public static final String ROLE_GEN_HANDLER_CLASSNAME = "org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler";
+ public static final String PICKETLINK_ELEMENT = "PicketLink";
+ public static final String PICKETLINKSP_ELEMENT = "PicketLinkSP";
+ public static final String HANDLERS_ELEMENT = "Handlers";
+ public static final String HANDLER_ELEMENT = "Handler";
+ public static final String OPTION_ELEMENT = "Option";
+ public static final String VAL_ALIAS_ELEMENT = "ValidatingAlias";
+ public static final String AUTH_ELEMENT = "Auth";
+
+ private String serverEnvironment = "jetty";
+ private String bindingType = "POST";
+ private String idpUsesPostingBinding = "true";
+ private String supportsSignatures = "true";
+ private String identityURL = null;
+ private String serviceURL = null;
+ private String keystoreURL = null;
+ private String keystorePass = null;
+ private String signingKeyAlias = null;
+ private String signingKeyPass = null;
+ private String validatingKeyAlias = null;
+ private String validatingKeyValue = null;
+ private String nameIDFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent";
+ private String clockSkewMilis = null;
+ private String assertionSessionAttributeName = "org.picketlink.sp.assertion";
+
+ public String getServerEnvironment() {
+ return serverEnvironment;
+ }
+ public void setServerEnvironment(String serverEnvironment) {
+ this.serverEnvironment = serverEnvironment;
+ }
+ public String getBindingType() {
+ return bindingType;
+ }
+ public void setBindingType(String bindingType) {
+ this.bindingType = bindingType;
+ }
+ public String getIdpUsesPostingBinding() {
+ return idpUsesPostingBinding;
+ }
+ public void setIdpUsesPostingBinding(String idpUsesPostingBinding) {
+ this.idpUsesPostingBinding = idpUsesPostingBinding;
+ }
+ public String getSupportsSignatures() {
+ return supportsSignatures;
+ }
+ public void setSupportsSignatures(String supportsSignatures) {
+ this.supportsSignatures = supportsSignatures;
+ }
+ public String getIdentityURL() {
+ return identityURL;
+ }
+ public void setIdentityURL(String identityURL) {
+ this.identityURL = identityURL;
+ }
+ public String getServiceURL() {
+ return serviceURL;
+ }
+ public void setServiceURL(String serviceURL) {
+ this.serviceURL = serviceURL;
+ }
+ public String getKeystoreURL() {
+ return keystoreURL;
+ }
+ public void setKeystoreURL(String keystoreURL) {
+ this.keystoreURL = keystoreURL;
+ }
+ public String getKeystorePass() {
+ return keystorePass;
+ }
+ public void setKeystorePass(String keystorePass) {
+ this.keystorePass = keystorePass;
+ }
+ public String getSigningKeyAlias() {
+ return signingKeyAlias;
+ }
+ public void setSigningKeyAlias(String signingKeyAlias) {
+ this.signingKeyAlias = signingKeyAlias;
+ }
+ public String getSigningKeyPass() {
+ return signingKeyPass;
+ }
+ public void setSigningKeyPass(String signingKeyPass) {
+ this.signingKeyPass = signingKeyPass;
+ }
+ public String getValidatingKeyAlias() {
+ return validatingKeyAlias;
+ }
+ public void setValidatingAliasKey(String validatingKeyAlias) {
+ this.validatingKeyAlias = validatingKeyAlias;
+ }
+ public String getValidatingKeyValue() {
+ return validatingKeyValue;
+ }
+ public void setValidatingAliasValue(String validatingKeyValue) {
+ this.validatingKeyValue = validatingKeyValue;
+ }
+ public String getNameIDFormat() {
+ return nameIDFormat;
+ }
+ public void setNameIDFormat(String nameIDFormat) {
+ this.nameIDFormat = nameIDFormat;
+ }
+ public String getClockSkewMilis() {
+ return clockSkewMilis;
+ }
+ public void setClockSkewMilis(String clockSkewMilis) {
+ this.clockSkewMilis = clockSkewMilis;
+ }
+ public String getAssertionSessionAttributeName() {
+ return assertionSessionAttributeName;
+ }
+ public void setAssertionSessionAttributeName(
+ String assertionSessionAttributeName) {
+ this.assertionSessionAttributeName = assertionSessionAttributeName;
+ }
+ @Override
+ public String toString() {
+ // THIS IS HORRID REPLACE WITH DOM+TRANSFORM
+ StringBuffer xml = new StringBuffer();
+ xml.append("<?xml version=\"1.0\" encoding=\"UTF-8\" ?>").append(NL)
+ .append(LT_OPEN).append(PICKETLINK_ELEMENT).append(" xmlns=\"").append(PICKETLINK_XMLNS).append("\"" + GT).append(NL)
+ .append(INDENT).append(LT_OPEN).append(PICKETLINKSP_ELEMENT).append(" xmlns=\"").append(PICKETLINK_SP_XMLNS + "\"").append(NL)
+ .append(INDENT).append(INDENT).append("ServerEnvironment").append("=\"").append(serverEnvironment).append("\"").append(NL)
+ .append(INDENT).append(INDENT).append("BindingType").append("=\"").append(bindingType).append("\"").append(NL)
+ .append(INDENT).append(INDENT).append("IDPUsesPostBinding").append("=\"").append(idpUsesPostingBinding).append("\"").append(NL)
+ .append(INDENT).append(INDENT).append("SupportsSignatures").append("=\"").append(supportsSignatures).append("\"").append(NL)
+ .append(INDENT).append(INDENT).append("CanonicalizationMethod").append("=\"").append(C14N_METHOD).append("\"").append(GT).append(NL).append(NL)
+ .append(INDENT).append(INDENT).append(LT_OPEN).append("IdentityURL").append(GT).append(identityURL).append(LT_CLOSE).append("IdentityURL").append(GT).append(NL)
+ .append(INDENT).append(INDENT).append(LT_OPEN).append("ServiceURL").append(GT).append(serviceURL).append(LT_CLOSE).append("ServiceURL").append(GT).append(NL)
+ .append(INDENT).append(INDENT).append(LT_OPEN).append(KEYPROVIDER_ELEMENT).append(" ").append("ClassName=\"").append(KEYPROVIDER_CLASSNAME + "\"" + GT).append(NL)
+ .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(AUTH_ELEMENT).append(" Key=\"KeyStoreURL\" Value=\"").append(keystoreURL).append("\"").append(GT_CLOSE).append(NL)
+ .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(AUTH_ELEMENT).append(" Key=\"KeyStorePass\" Value=\"").append(keystorePass).append("\"").append(GT_CLOSE).append(NL)
+ .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(AUTH_ELEMENT).append(" Key=\"SigningKeyAlias\" Value=\"").append(signingKeyAlias).append("\"").append(GT_CLOSE).append(NL)
+ .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(AUTH_ELEMENT).append(" Key=\"SigningKeyPass\" Value=\"").append(signingKeyPass).append("\"").append(GT_CLOSE).append(NL)
+ .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(VAL_ALIAS_ELEMENT).append(" Key=\"").append(validatingKeyAlias).append("\" Value=\"").append(validatingKeyValue).append("\"").append(GT_CLOSE).append(NL)
+ .append(INDENT).append(INDENT).append(LT_CLOSE).append(KEYPROVIDER_ELEMENT).append(GT).append(NL)
+ .append(INDENT).append(LT_CLOSE).append(PICKETLINKSP_ELEMENT).append(GT).append(NL)
+ .append(INDENT).append(LT_OPEN).append(HANDLERS_ELEMENT).append(GT).append(NL)
+ .append(INDENT).append(INDENT).append(LT_OPEN).append(HANDLER_ELEMENT).append(" class=\"").append(AUTH_HANDLER_CLASSNAME).append("\">").append(NL)
+ .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(OPTION_ELEMENT).append(" Key=\"NAMEID_FORMAT\" Value=\"").append(nameIDFormat).append("\"").append(GT_CLOSE).append(NL)
+ .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(OPTION_ELEMENT).append(" Key=\"CLOCK_SKEW_MILIS\" Value=\"").append(clockSkewMilis).append("\"").append(GT_CLOSE).append(NL)
+ .append(INDENT).append(INDENT).append(INDENT).append(LT_OPEN).append(OPTION_ELEMENT).append(" Key=\"ASSERTION_SESSION_ATTRIBUTE_NAME\" Value=\"").append(assertionSessionAttributeName).append("\"").append(GT_CLOSE).append(NL)
+ .append(INDENT).append(INDENT).append(LT_CLOSE).append(HANDLER_ELEMENT).append(GT).append(NL)
+ .append(INDENT).append(INDENT).append(LT_OPEN).append(HANDLER_ELEMENT).append(" class=\"").append(ROLE_GEN_HANDLER_CLASSNAME).append("\"/>").append(NL)
+ .append(INDENT).append(LT_CLOSE).append(HANDLERS_ELEMENT).append(GT).append(NL)
+ .append(LT_CLOSE).append(PICKETLINK_ELEMENT).append(GT).append(NL);
+
+ return xml.toString();
+ }
+
+ public static void main(String[] args) {
+ PicketlinkConf conf = new PicketlinkConf();
+ System.out.println(conf.toString());
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkFederationProviderContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkFederationProviderContributor.java b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkFederationProviderContributor.java
new file mode 100644
index 0000000..d13bdaa
--- /dev/null
+++ b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/deploy/PicketlinkFederationProviderContributor.java
@@ -0,0 +1,132 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.picketlink.deploy;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.picketlink.PicketlinkMessages;
+import org.apache.knox.gateway.services.security.AliasService;
+import org.apache.knox.gateway.services.security.AliasServiceException;
+import org.apache.knox.gateway.services.security.MasterService;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Service;
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.picketlink.identity.federation.web.filters.ServiceProviderContextInitializer;
+
+public class PicketlinkFederationProviderContributor extends
+ ProviderDeploymentContributorBase {
+ private static final String ROLE = "federation";
+ private static final String NAME = "Picketlink";
+ private static final String PICKETLINK_FILTER_CLASSNAME = "org.picketlink.identity.federation.web.filters.SPFilter";
+ private static final String CAPTURE_URL_FILTER_CLASSNAME = "CaptureOriginalURLFilter";
+ private static final String IDENTITY_ADAPTER_CLASSNAME = "PicketlinkIdentityAdapter";
+ private static final String IDENTITY_URL_PARAM = "identity.url";
+ private static final String SERVICE_URL_PARAM = "service.url";
+ private static final String KEYSTORE_URL_PARAM = "keystore.url";
+ private static final String SIGNINGKEY_ALIAS = "gateway-identity";
+ private static final String VALIDATING_ALIAS_KEY = "validating.alias.key";
+ private static final String VALIDATING_ALIAS_VALUE = "validating.alias.value";
+ private static final String CLOCK_SKEW_MILIS = "clock.skew.milis";
+ private static PicketlinkMessages log = MessagesFactory.get( PicketlinkMessages.class );
+
+ private MasterService ms = null;
+ private AliasService as = null;
+
+ @Override
+ public String getRole() {
+ return ROLE;
+ }
+
+ @Override
+ public String getName() {
+ return NAME;
+ }
+
+ public void setMasterService(MasterService ms) {
+ this.ms = ms;
+ }
+
+ public void setAliasService(AliasService as) {
+ this.as = as;
+ }
+
+ @Override
+ public void initializeContribution(DeploymentContext context) {
+ super.initializeContribution(context);
+ }
+
+ @Override
+ public void contributeProvider(DeploymentContext context, Provider provider) {
+ // LJM TODO: consider creating a picketlink configuration provider to
+ // handle the keystore secrets without putting them in a config file directly.
+ // Once that is done then we can remove the unneeded gateway services from those
+ // that are available to providers.
+ context.getWebAppDescriptor().createListener().listenerClass( ServiceProviderContextInitializer.class.getName());
+
+ PicketlinkConf config = new PicketlinkConf( );
+ Map<String,String> params = provider.getParams();
+ config.setIdentityURL(params.get(IDENTITY_URL_PARAM));
+ config.setServiceURL(params.get(SERVICE_URL_PARAM));
+ config.setKeystoreURL(params.get(KEYSTORE_URL_PARAM));
+ if (ms != null) {
+ config.setKeystorePass(new String(ms.getMasterSecret()));
+ }
+ config.setSigningKeyAlias(SIGNINGKEY_ALIAS);
+ if (as != null) {
+ char[] passphrase = null;
+ try {
+ passphrase = as.getGatewayIdentityPassphrase();
+ config.setSigningKeyPass(new String(passphrase));
+ } catch (AliasServiceException e) {
+ log.unableToGetGatewayIdentityPassphrase(e);
+ }
+ }
+ config.setValidatingAliasKey(params.get(VALIDATING_ALIAS_KEY));
+ config.setValidatingAliasValue(params.get(VALIDATING_ALIAS_VALUE));
+ config.setClockSkewMilis(params.get(CLOCK_SKEW_MILIS));
+ String configStr = config.toString();
+ if( config != null ) {
+ context.getWebArchive().addAsWebInfResource( new StringAsset( configStr ), "picketlink.xml" );
+ }
+ }
+
+ @Override
+ public void contributeFilter(DeploymentContext context, Provider provider, Service service,
+ ResourceDescriptor resource, List<FilterParamDescriptor> params) {
+ // blindly add all the provider params as filter init params
+ if (params == null) {
+ params = new ArrayList<FilterParamDescriptor>();
+ }
+ Map<String, String> providerParams = provider.getParams();
+ for(Entry<String, String> entry : providerParams.entrySet()) {
+ params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
+ }
+ resource.addFilter().name( getName() ).role( getRole() ).impl( CAPTURE_URL_FILTER_CLASSNAME ).params( params );
+ resource.addFilter().name( getName() ).role( getRole() ).impl( PICKETLINK_FILTER_CLASSNAME ).params( params );
+ resource.addFilter().name( getName() ).role( getRole() ).impl( IDENTITY_ADAPTER_CLASSNAME ).params( params );
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/CaptureOriginalURLFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/CaptureOriginalURLFilter.java b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/CaptureOriginalURLFilter.java
new file mode 100644
index 0000000..b062013
--- /dev/null
+++ b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/CaptureOriginalURLFilter.java
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.picketlink.filter;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.picketlink.PicketlinkMessages;
+
+import java.io.IOException;
+
+public class CaptureOriginalURLFilter implements Filter {
+ private static PicketlinkMessages log = MessagesFactory.get( PicketlinkMessages.class );
+ private static final String COOKIE_PATH = "cookie.path";
+ private static final String COOKIE_SECURE = "cookie.secure";
+ private String cookiePath = null;
+ private String cookieSecure = null;
+
+ @Override
+ public void init( FilterConfig filterConfig ) throws ServletException {
+ cookiePath = filterConfig.getInitParameter(COOKIE_PATH);
+ if (cookiePath == null) {
+ cookiePath = "/gateway/idp/knoxsso/api/v1/websso";
+ }
+ cookieSecure = filterConfig.getInitParameter(COOKIE_SECURE);
+ if (cookieSecure == null) {
+ cookieSecure = "true";
+ }
+ }
+
+ @Override
+ public void doFilter( ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain ) throws IOException, ServletException {
+ String original = null;
+ HttpServletRequest request = (HttpServletRequest)servletRequest;
+ String url = request.getParameter("originalUrl");
+ if (url != null) {
+ log.foundOriginalURLInRequest(url);
+ original = request.getParameter("originalUrl");
+ log.settingCookieForOriginalURL();
+ addCookie(servletResponse, original);
+ }
+ filterChain.doFilter(request, servletResponse);
+ }
+
+ @Override
+ public void destroy() {
+
+ }
+
+ private void addCookie(ServletResponse servletResponse, String original) {
+ Cookie c = new Cookie("original-url", original);
+ c.setPath(cookiePath);
+ c.setHttpOnly(true);
+ boolean secureOnly = true;
+ if (cookieSecure != null) {
+ secureOnly = ("false".equals(cookieSecure) ? false : true);
+ if (!secureOnly) {
+ log.secureFlagFalseForCookie();
+ }
+ }
+ c.setSecure(secureOnly);
+ c.setMaxAge(60);
+ ((HttpServletResponse)servletResponse).addCookie(c);
+ }
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/PicketlinkIdentityAdapter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/PicketlinkIdentityAdapter.java b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/PicketlinkIdentityAdapter.java
new file mode 100644
index 0000000..e3811b4
--- /dev/null
+++ b/gateway-provider-security-picketlink/src/main/java/org/apache/knox/gateway/picketlink/filter/PicketlinkIdentityAdapter.java
@@ -0,0 +1,102 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.picketlink.filter;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.knox.gateway.audit.api.Action;
+import org.apache.knox.gateway.audit.api.ActionOutcome;
+import org.apache.knox.gateway.audit.api.AuditService;
+import org.apache.knox.gateway.audit.api.AuditServiceFactory;
+import org.apache.knox.gateway.audit.api.Auditor;
+import org.apache.knox.gateway.audit.api.ResourceType;
+import org.apache.knox.gateway.audit.log4j.audit.AuditConstants;
+import org.apache.knox.gateway.filter.AbstractGatewayFilter;
+import org.apache.knox.gateway.security.PrimaryPrincipal;
+
+public class PicketlinkIdentityAdapter implements Filter {
+
+ private static AuditService auditService = AuditServiceFactory.getAuditService();
+ private static Auditor auditor = auditService.getAuditor(
+ AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME,
+ AuditConstants.KNOX_COMPONENT_NAME );
+
+
+ @Override
+ public void init( FilterConfig filterConfig ) throws ServletException {
+ }
+
+ public void destroy() {
+ }
+
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+ throws IOException, ServletException {
+
+ HttpServletRequest httpRequest = (HttpServletRequest) request;
+ String username = httpRequest.getUserPrincipal().getName();
+ PrimaryPrincipal pp = new PrimaryPrincipal(username);
+ Subject subject = new Subject();
+ subject.getPrincipals().add(pp);
+
+ Principal principal = (Principal) subject.getPrincipals(PrimaryPrincipal.class);
+ auditService.getContext().setUsername( principal.getName() );
+ String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME );
+ auditor.audit( Action.AUTHENTICATION , sourceUri, ResourceType.URI, ActionOutcome.SUCCESS );
+
+ doAs(request, response, chain, subject);
+ }
+
+ private void doAs(final ServletRequest request,
+ final ServletResponse response, final FilterChain chain, Subject subject)
+ throws IOException, ServletException {
+ try {
+ Subject.doAs(
+ subject,
+ new PrivilegedExceptionAction<Object>() {
+ public Object run() throws Exception {
+ chain.doFilter(request, response);
+ return null;
+ }
+ }
+ );
+ }
+ catch (PrivilegedActionException e) {
+ Throwable t = e.getCause();
+ if (t instanceof IOException) {
+ throw (IOException) t;
+ }
+ else if (t instanceof ServletException) {
+ throw (ServletException) t;
+ }
+ else {
+ throw new ServletException(t);
+ }
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
deleted file mode 100644
index ec4affc..0000000
--- a/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
+++ /dev/null
@@ -1,19 +0,0 @@
-##########################################################################
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-##########################################################################
-
-org.apache.hadoop.gateway.picketlink.deploy.PicketlinkFederationProviderContributor
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor b/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
new file mode 100644
index 0000000..2d6b75c
--- /dev/null
+++ b/gateway-provider-security-picketlink/src/main/resources/META-INF/services/org.apache.knox.gateway.deploy.ProviderDeploymentContributor
@@ -0,0 +1,19 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+org.apache.knox.gateway.picketlink.deploy.PicketlinkFederationProviderContributor
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/test/java/org/apache/hadoop/gateway/picketlink/PicketlinkTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/test/java/org/apache/hadoop/gateway/picketlink/PicketlinkTest.java b/gateway-provider-security-picketlink/src/test/java/org/apache/hadoop/gateway/picketlink/PicketlinkTest.java
deleted file mode 100644
index 4ef3088..0000000
--- a/gateway-provider-security-picketlink/src/test/java/org/apache/hadoop/gateway/picketlink/PicketlinkTest.java
+++ /dev/null
@@ -1,31 +0,0 @@
-
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.picketlink;
-
-import junit.framework.TestCase;
-
-import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
-import org.junit.Test;
-
-public class PicketlinkTest extends TestCase {
- @Test
- public void testPicketlink() throws Exception {
- assertTrue(true);
- }
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-picketlink/src/test/java/org/apache/knox/gateway/picketlink/PicketlinkTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/test/java/org/apache/knox/gateway/picketlink/PicketlinkTest.java b/gateway-provider-security-picketlink/src/test/java/org/apache/knox/gateway/picketlink/PicketlinkTest.java
new file mode 100644
index 0000000..92edc98
--- /dev/null
+++ b/gateway-provider-security-picketlink/src/test/java/org/apache/knox/gateway/picketlink/PicketlinkTest.java
@@ -0,0 +1,30 @@
+
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.picketlink;
+
+import junit.framework.TestCase;
+
+import org.junit.Test;
+
+public class PicketlinkTest extends TestCase {
+ @Test
+ public void testPicketlink() throws Exception {
+ assertTrue(true);
+ }
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/PreAuthMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/PreAuthMessages.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/PreAuthMessages.java
deleted file mode 100644
index 5b2e991..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/PreAuthMessages.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth;
-
-import org.apache.hadoop.gateway.i18n.messages.Message;
-import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
-import org.apache.hadoop.gateway.i18n.messages.Messages;
-
-@Messages(logger="org.apache.hadoop.gateway.provider.global.csrf")
-public interface PreAuthMessages {
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/HeaderPreAuthContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/HeaderPreAuthContributor.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/HeaderPreAuthContributor.java
deleted file mode 100644
index 52d2131..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/deploy/HeaderPreAuthContributor.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.deploy;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-import org.apache.hadoop.gateway.deploy.DeploymentContext;
-import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
-import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
-import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
-import org.apache.hadoop.gateway.topology.Provider;
-import org.apache.hadoop.gateway.topology.Service;
-
-public class HeaderPreAuthContributor extends
- ProviderDeploymentContributorBase {
- private static final String ROLE = "federation";
- private static final String NAME = "HeaderPreAuth";
- private static final String PREAUTH_FILTER_CLASSNAME = "org.apache.hadoop.gateway.preauth.filter.HeaderPreAuthFederationFilter";
-
- @Override
- public String getRole() {
- return ROLE;
- }
-
- @Override
- public String getName() {
- return NAME;
- }
-
- @Override
- public void initializeContribution(DeploymentContext context) {
- super.initializeContribution(context);
- }
-
- @Override
- public void contributeFilter(DeploymentContext context, Provider provider, Service service,
- ResourceDescriptor resource, List<FilterParamDescriptor> params) {
- // blindly add all the provider params as filter init params
- if (params == null) {
- params = new ArrayList<FilterParamDescriptor>();
- }
- Map<String, String> providerParams = provider.getParams();
- for(Entry<String, String> entry : providerParams.entrySet()) {
- params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
- }
- resource.addFilter().name( getName() ).role( getRole() ).impl( PREAUTH_FILTER_CLASSNAME ).params( params );
- }
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
deleted file mode 100644
index fa4df69..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
+++ /dev/null
@@ -1,144 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-import java.io.IOException;
-import java.security.Principal;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.util.List;
-import java.util.Set;
-
-import javax.security.auth.Subject;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import com.google.common.annotations.VisibleForTesting;
-
-import org.apache.hadoop.gateway.audit.api.Action;
-import org.apache.hadoop.gateway.audit.api.ActionOutcome;
-import org.apache.hadoop.gateway.audit.api.AuditService;
-import org.apache.hadoop.gateway.audit.api.AuditServiceFactory;
-import org.apache.hadoop.gateway.audit.api.Auditor;
-import org.apache.hadoop.gateway.audit.api.ResourceType;
-import org.apache.hadoop.gateway.audit.log4j.audit.AuditConstants;
-import org.apache.hadoop.gateway.filter.AbstractGatewayFilter;
-import org.apache.hadoop.gateway.security.PrimaryPrincipal;
-
-/**
- *
- */
-public abstract class AbstractPreAuthFederationFilter implements Filter {
-
- private List<PreAuthValidator> validators = null;
- private FilterConfig filterConfig;
- private static AuditService auditService = AuditServiceFactory.getAuditService();
- private static Auditor auditor = auditService.getAuditor(
- AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME,
- AuditConstants.KNOX_COMPONENT_NAME );
-
- /**
- *
- */
- public AbstractPreAuthFederationFilter() {
- super();
- }
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
- this.filterConfig = filterConfig;
- validators = PreAuthService.getValidators(filterConfig);
- }
-
- @VisibleForTesting
- public List<PreAuthValidator> getValidators() {
- return validators;
- }
-
- @Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
- throws IOException, ServletException {
- HttpServletRequest httpRequest = (HttpServletRequest)request;
- String principal = getPrimaryPrincipal(httpRequest);
- if (principal != null) {
- if (PreAuthService.validate(httpRequest, filterConfig, validators)) {
- Subject subject = new Subject();
- subject.getPrincipals().add(new PrimaryPrincipal(principal));
- addGroupPrincipals(httpRequest, subject.getPrincipals());
- auditService.getContext().setUsername( principal ); //KM: Audit Fix
- String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME );
- auditor.audit( Action.AUTHENTICATION , sourceUri, ResourceType.URI, ActionOutcome.SUCCESS );
- doAs(httpRequest, response, chain, subject);
- }
- else {
- // TODO: log preauthenticated SSO validation failure
- ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "SSO Validation Failure.");
- }
- }
- else {
- ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "Missing Required Header for PreAuth SSO Federation");
- }
- }
-
- @Override
- public void destroy() {
- }
-
- private void doAs(final ServletRequest request, final ServletResponse response, final FilterChain chain, Subject subject)
- throws IOException, ServletException {
- try {
- Subject.doAs(
- subject,
- new PrivilegedExceptionAction<Object>() {
- public Object run() throws Exception {
- chain.doFilter(request, response);
- return null;
- }
- }
- );
- }
- catch (PrivilegedActionException e) {
- Throwable t = e.getCause();
- if (t instanceof IOException) {
- throw (IOException) t;
- }
- else if (t instanceof ServletException) {
- throw (ServletException) t;
- }
- else {
- throw new ServletException(t);
- }
- }
- }
-
- /**
- * @param httpRequest
- */
- abstract protected String getPrimaryPrincipal(HttpServletRequest httpRequest);
-
- /**
- * @param principals
- */
- abstract protected void addGroupPrincipals(HttpServletRequest request, Set<Principal> principals);
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/DefaultValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/DefaultValidator.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/DefaultValidator.java
deleted file mode 100644
index fe1cec5..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/DefaultValidator.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-import javax.servlet.FilterConfig;
-import javax.servlet.http.HttpServletRequest;
-
-/**
- * @since 0.12
- * This class implements the default Validator where really no validation is performed.
- * TODO: log the fact that there is no verification going on to validate
- * + who is asserting the identity with the a header. Without some validation
- * + we are assuming the network security is the primary protection method.
- */
-public class DefaultValidator implements PreAuthValidator {
- public static final String DEFAULT_VALIDATION_METHOD_VALUE = "preauth.default.validation";
-
- public DefaultValidator() {
- }
-
- /**
- * @param httpRequest
- * @param filterConfig
- * @return true if validated, otherwise false
- * @throws PreAuthValidationException
- */
- @Override
- public boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig) throws PreAuthValidationException {
- return true;
- }
-
- /**
- * Return unique validator name
- *
- * @return name of validator
- */
- @Override
- public String getName() {
- return DEFAULT_VALIDATION_METHOD_VALUE;
- }
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/HeaderPreAuthFederationFilter.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
deleted file mode 100644
index df88849..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
+++ /dev/null
@@ -1,72 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-import java.security.Principal;
-import java.util.Set;
-
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.hadoop.gateway.security.GroupPrincipal;
-
-
-public class HeaderPreAuthFederationFilter extends AbstractPreAuthFederationFilter {
- static final String CUSTOM_HEADER_PARAM = "preauth.custom.header";
- static final String CUSTOM_GROUP_HEADER_PARAM = "preauth.custom.group.header";
- String headerName = "SM_USER";
- String groupHeaderName = null;
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
- super.init(filterConfig);
- String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM);
- if (customHeader != null) {
- headerName = customHeader;
- }
- String customGroupHeader = filterConfig.getInitParameter(CUSTOM_GROUP_HEADER_PARAM);
- if (customGroupHeader != null) {
- groupHeaderName = customGroupHeader;
- }
- }
-
- /**
- * @param httpRequest
- */
- @Override
- protected String getPrimaryPrincipal(HttpServletRequest httpRequest) {
- return httpRequest.getHeader(headerName);
- }
-
- /**
- * @param principals
- */
- @Override
- protected void addGroupPrincipals(HttpServletRequest request, Set<Principal> principals) {
- if (groupHeaderName != null) {
- String headers = request.getHeader(groupHeaderName);
- if (headers != null) {
- String[] groups = headers.split(",");
- for (int i = 0; i < groups.length; i++) {
- principals.add(new GroupPrincipal(groups[i]));
- }
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java
deleted file mode 100644
index 9df23b5..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-import javax.servlet.FilterConfig;
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.hadoop.gateway.util.IpAddressValidator;
-
-/**
- *
- */
-public class IPValidator implements PreAuthValidator {
- public static final String IP_ADDRESSES_PARAM = "preauth.ip.addresses";
- public static final String IP_VALIDATION_METHOD_VALUE = "preauth.ip.validation";
-
- public IPValidator() {
- }
-
- /**
- * @param httpRequest
- * @param filterConfig
- * @return true if validated, otherwise false
- * @throws PreAuthValidationException
- */
- @Override
- public boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig)
- throws PreAuthValidationException {
- String ipParam = filterConfig.getInitParameter(IP_ADDRESSES_PARAM);
- IpAddressValidator ipv = new IpAddressValidator(ipParam);
- return ipv.validateIpAddress(httpRequest.getRemoteAddr());
- }
-
- /**
- * Return unique validator name
- *
- * @return name of validator
- */
- @Override
- public String getName() {
- return IP_VALIDATION_METHOD_VALUE;
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java
deleted file mode 100644
index 27ae803..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java
+++ /dev/null
@@ -1,142 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-import java.io.IOException;
-import java.security.AccessController;
-import java.security.Principal;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.util.List;
-
-import javax.security.auth.Subject;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.hadoop.gateway.security.PrimaryPrincipal;
-
-public class PreAuthFederationFilter implements Filter {
- private static final String CUSTOM_HEADER_PARAM = "preauth.customHeader";
- private List<PreAuthValidator> validators = null;
- private FilterConfig filterConfig;
- private String headerName = "SM_USER";
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
- String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM);
- if (customHeader != null) {
- headerName = customHeader;
- }
- this.filterConfig = filterConfig;
- validators = PreAuthService.getValidators(filterConfig);
- }
-
- @Override
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException {
- HttpServletRequest httpRequest = (HttpServletRequest) request;
- if (httpRequest.getHeader(headerName) != null) {
- if (PreAuthService.validate(httpRequest, filterConfig, validators)) {
- // TODO: continue as subject
- chain.doFilter(request, response);
- } else {
- // TODO: log preauthenticated SSO validation failure
- ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing Required Header for SSO Validation");
- }
- } else {
- ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing Required Header for PreAuth SSO Federation");
- }
- }
-
- /* (non-Javadoc)
- * @see javax.servlet.Filter#destroy()
- */
- @Override
- public void destroy() {
- // TODO Auto-generated method stub
-
- }
-
- /**
- * Recreate the current Subject based upon the provided mappedPrincipal
- * and look for the groups that should be associated with the new Subject.
- * Upon finding groups mapped to the principal - add them to the new Subject.
- * @param mappedPrincipalName
- * @throws ServletException
- * @throws IOException
- */
- protected void continueChainAsPrincipal(final ServletRequest request, final ServletResponse response,
- final FilterChain chain, String principal) throws IOException, ServletException {
- Subject subject = null;
- Principal primaryPrincipal = null;
-
- // do some check to ensure that the extracted identity matches any existing security context
- // if not, there is may be someone tampering with the request - consult config to determine
- // how we are to handle it
-
- // TODO: make sure that this makes sense with existing sessions or lack thereof
- Subject currentSubject = Subject.getSubject(AccessController.getContext());
- if (currentSubject != null) {
- primaryPrincipal = (PrimaryPrincipal) currentSubject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
- if (primaryPrincipal != null) {
- if (!primaryPrincipal.getName().equals(principal)) {
- }
- }
- }
-
- subject = new Subject();
- subject.getPrincipals().add(primaryPrincipal);
- doAs(request, response, chain, subject);
- }
-
- private void doAs(final ServletRequest request,
- final ServletResponse response, final FilterChain chain, Subject subject)
- throws IOException, ServletException {
- try {
- Subject.doAs(
- subject,
- new PrivilegedExceptionAction<Object>() {
- public Object run() throws Exception {
- doFilterInternal(request, response, chain);
- return null;
- }
- }
- );
- } catch (PrivilegedActionException e) {
- Throwable t = e.getCause();
- if (t instanceof IOException) {
- throw (IOException) t;
- } else if (t instanceof ServletException) {
- throw (ServletException) t;
- } else {
- throw new ServletException(t);
- }
- }
- }
-
- private void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
- chain.doFilter(request, response);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthService.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthService.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthService.java
deleted file mode 100644
index e1d9751..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthService.java
+++ /dev/null
@@ -1,106 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Strings;
-
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import java.util.ArrayList;
-import java.util.LinkedHashSet;
-import java.util.List;
-import java.util.Set;
-import java.util.Collections;
-import java.util.ServiceLoader;
-import java.util.Iterator;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
-
-/**
- * This class manages few utility methods used across different classes of pre-auth module
- * @since 0.12
- */
-public class PreAuthService {
-
- public static final String VALIDATION_METHOD_PARAM = "preauth.validation.method";
- private static ConcurrentHashMap<String, PreAuthValidator> validatorMap;
-
- static {
- initializeValidators();
- }
-
-
- private static void initializeValidators() {
- ServiceLoader<PreAuthValidator> servLoader = ServiceLoader.load(PreAuthValidator.class);
- validatorMap = new ConcurrentHashMap<>();
- for (Iterator<PreAuthValidator> iterator = servLoader.iterator(); iterator.hasNext(); ) {
- PreAuthValidator validator = iterator.next();
- validatorMap.put(validator.getName(), validator);
- }
- }
-
- @VisibleForTesting
- public static Map<String, PreAuthValidator> getValidatorMap() {
- return Collections.unmodifiableMap(validatorMap);
- }
-
- /**
- * This method returns appropriate pre-auth Validator as defined in config
- *
- * @since 0.12
- * @param filterConfig
- * @return List<PreAuthValidator>
- * @throws ServletException
- */
- public static List<PreAuthValidator> getValidators(FilterConfig filterConfig) throws ServletException {
- String validationMethods = filterConfig.getInitParameter(VALIDATION_METHOD_PARAM);
- List<PreAuthValidator> vList = new ArrayList<>();
- if (Strings.isNullOrEmpty(validationMethods)) {
- validationMethods = DefaultValidator.DEFAULT_VALIDATION_METHOD_VALUE;
- }
- Set<String> vMethodSet = new LinkedHashSet<>();
- Collections.addAll(vMethodSet, validationMethods.trim().split("\\s*,\\s*"));
- for (String vName : vMethodSet) {
- if (validatorMap.containsKey(vName)) {
- vList.add(validatorMap.get(vName));
- } else {
- throw new ServletException(String.format("Unable to find validator with name '%s'", validationMethods));
- }
- }
- return vList;
- }
-
- public static boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig, List<PreAuthValidator>
- validators) {
- try {
- for (PreAuthValidator validator : validators) {
- //Any one validator fails, it will fail the request. loginal AND behavior
- if (!validator.validate(httpRequest, filterConfig)) {
- return false;
- }
- }
- } catch (PreAuthValidationException e) {
- // TODO log exception
- return false;
- }
- return true;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidationException.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidationException.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidationException.java
deleted file mode 100644
index e643033..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidationException.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-/**
- * @author larry
- *
- */
-public class PreAuthValidationException extends Exception {
- PreAuthValidationException(String message) {
- super(message);
- }
-
- PreAuthValidationException(String message, Exception e) {
- super(message, e);
- }
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java
deleted file mode 100644
index 5819801..0000000
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.gateway.preauth.filter;
-
-import javax.servlet.FilterConfig;
-import javax.servlet.http.HttpServletRequest;
-
-/**
- *
- */
-public interface PreAuthValidator {
- /**
- * @param httpRequest
- * @param filterConfig
- * @return true if validated, otherwise false
- * @throws PreAuthValidationException
- */
- public abstract boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig) throws
- PreAuthValidationException;
-
- /**
- * Return unique validator name
- *
- * @return name of validator
- */
- public abstract String getName();
-}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/PreAuthMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/PreAuthMessages.java b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/PreAuthMessages.java
new file mode 100644
index 0000000..dfe4ca9
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/PreAuthMessages.java
@@ -0,0 +1,24 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.preauth;
+
+import org.apache.knox.gateway.i18n.messages.Messages;
+
+@Messages(logger="org.apache.hadoop.gateway.provider.global.csrf")
+public interface PreAuthMessages {
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/deploy/HeaderPreAuthContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/deploy/HeaderPreAuthContributor.java b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/deploy/HeaderPreAuthContributor.java
new file mode 100644
index 0000000..2a5cebd
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/deploy/HeaderPreAuthContributor.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.preauth.deploy;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Service;
+
+public class HeaderPreAuthContributor extends
+ ProviderDeploymentContributorBase {
+ private static final String ROLE = "federation";
+ private static final String NAME = "HeaderPreAuth";
+ private static final String PREAUTH_FILTER_CLASSNAME = "HeaderPreAuthFederationFilter";
+
+ @Override
+ public String getRole() {
+ return ROLE;
+ }
+
+ @Override
+ public String getName() {
+ return NAME;
+ }
+
+ @Override
+ public void initializeContribution(DeploymentContext context) {
+ super.initializeContribution(context);
+ }
+
+ @Override
+ public void contributeFilter(DeploymentContext context, Provider provider, Service service,
+ ResourceDescriptor resource, List<FilterParamDescriptor> params) {
+ // blindly add all the provider params as filter init params
+ if (params == null) {
+ params = new ArrayList<FilterParamDescriptor>();
+ }
+ Map<String, String> providerParams = provider.getParams();
+ for(Entry<String, String> entry : providerParams.entrySet()) {
+ params.add( resource.createFilterParam().name( entry.getKey().toLowerCase() ).value( entry.getValue() ) );
+ }
+ resource.addFilter().name( getName() ).role( getRole() ).impl( PREAUTH_FILTER_CLASSNAME ).params( params );
+ }
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/AbstractPreAuthFederationFilter.java b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
new file mode 100644
index 0000000..66ee586
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
@@ -0,0 +1,144 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.preauth.filter;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.List;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.google.common.annotations.VisibleForTesting;
+
+import org.apache.knox.gateway.audit.api.Action;
+import org.apache.knox.gateway.audit.api.ActionOutcome;
+import org.apache.knox.gateway.audit.api.AuditService;
+import org.apache.knox.gateway.audit.api.AuditServiceFactory;
+import org.apache.knox.gateway.audit.api.Auditor;
+import org.apache.knox.gateway.audit.api.ResourceType;
+import org.apache.knox.gateway.audit.log4j.audit.AuditConstants;
+import org.apache.knox.gateway.filter.AbstractGatewayFilter;
+import org.apache.knox.gateway.security.PrimaryPrincipal;
+
+/**
+ *
+ */
+public abstract class AbstractPreAuthFederationFilter implements Filter {
+
+ private List<PreAuthValidator> validators = null;
+ private FilterConfig filterConfig;
+ private static AuditService auditService = AuditServiceFactory.getAuditService();
+ private static Auditor auditor = auditService.getAuditor(
+ AuditConstants.DEFAULT_AUDITOR_NAME, AuditConstants.KNOX_SERVICE_NAME,
+ AuditConstants.KNOX_COMPONENT_NAME );
+
+ /**
+ *
+ */
+ public AbstractPreAuthFederationFilter() {
+ super();
+ }
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ this.filterConfig = filterConfig;
+ validators = PreAuthService.getValidators(filterConfig);
+ }
+
+ @VisibleForTesting
+ public List<PreAuthValidator> getValidators() {
+ return validators;
+ }
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+ throws IOException, ServletException {
+ HttpServletRequest httpRequest = (HttpServletRequest)request;
+ String principal = getPrimaryPrincipal(httpRequest);
+ if (principal != null) {
+ if (PreAuthService.validate(httpRequest, filterConfig, validators)) {
+ Subject subject = new Subject();
+ subject.getPrincipals().add(new PrimaryPrincipal(principal));
+ addGroupPrincipals(httpRequest, subject.getPrincipals());
+ auditService.getContext().setUsername( principal ); //KM: Audit Fix
+ String sourceUri = (String)request.getAttribute( AbstractGatewayFilter.SOURCE_REQUEST_CONTEXT_URL_ATTRIBUTE_NAME );
+ auditor.audit( Action.AUTHENTICATION , sourceUri, ResourceType.URI, ActionOutcome.SUCCESS );
+ doAs(httpRequest, response, chain, subject);
+ }
+ else {
+ // TODO: log preauthenticated SSO validation failure
+ ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "SSO Validation Failure.");
+ }
+ }
+ else {
+ ((HttpServletResponse)response).sendError(HttpServletResponse.SC_FORBIDDEN, "Missing Required Header for PreAuth SSO Federation");
+ }
+ }
+
+ @Override
+ public void destroy() {
+ }
+
+ private void doAs(final ServletRequest request, final ServletResponse response, final FilterChain chain, Subject subject)
+ throws IOException, ServletException {
+ try {
+ Subject.doAs(
+ subject,
+ new PrivilegedExceptionAction<Object>() {
+ public Object run() throws Exception {
+ chain.doFilter(request, response);
+ return null;
+ }
+ }
+ );
+ }
+ catch (PrivilegedActionException e) {
+ Throwable t = e.getCause();
+ if (t instanceof IOException) {
+ throw (IOException) t;
+ }
+ else if (t instanceof ServletException) {
+ throw (ServletException) t;
+ }
+ else {
+ throw new ServletException(t);
+ }
+ }
+ }
+
+ /**
+ * @param httpRequest
+ */
+ abstract protected String getPrimaryPrincipal(HttpServletRequest httpRequest);
+
+ /**
+ * @param principals
+ */
+ abstract protected void addGroupPrincipals(HttpServletRequest request, Set<Principal> principals);
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/DefaultValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/DefaultValidator.java b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/DefaultValidator.java
new file mode 100644
index 0000000..a51d540
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/DefaultValidator.java
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.preauth.filter;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * @since 0.12
+ * This class implements the default Validator where really no validation is performed.
+ * TODO: log the fact that there is no verification going on to validate
+ * + who is asserting the identity with the a header. Without some validation
+ * + we are assuming the network security is the primary protection method.
+ */
+public class DefaultValidator implements PreAuthValidator {
+ public static final String DEFAULT_VALIDATION_METHOD_VALUE = "preauth.default.validation";
+
+ public DefaultValidator() {
+ }
+
+ /**
+ * @param httpRequest
+ * @param filterConfig
+ * @return true if validated, otherwise false
+ * @throws PreAuthValidationException
+ */
+ @Override
+ public boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig) throws PreAuthValidationException {
+ return true;
+ }
+
+ /**
+ * Return unique validator name
+ *
+ * @return name of validator
+ */
+ @Override
+ public String getName() {
+ return DEFAULT_VALIDATION_METHOD_VALUE;
+ }
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/HeaderPreAuthFederationFilter.java b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
new file mode 100644
index 0000000..eb16ab9
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/HeaderPreAuthFederationFilter.java
@@ -0,0 +1,71 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.preauth.filter;
+
+import java.security.Principal;
+import java.util.Set;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.knox.gateway.security.GroupPrincipal;
+
+public class HeaderPreAuthFederationFilter extends AbstractPreAuthFederationFilter {
+ static final String CUSTOM_HEADER_PARAM = "preauth.custom.header";
+ static final String CUSTOM_GROUP_HEADER_PARAM = "preauth.custom.group.header";
+ String headerName = "SM_USER";
+ String groupHeaderName = null;
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ super.init(filterConfig);
+ String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM);
+ if (customHeader != null) {
+ headerName = customHeader;
+ }
+ String customGroupHeader = filterConfig.getInitParameter(CUSTOM_GROUP_HEADER_PARAM);
+ if (customGroupHeader != null) {
+ groupHeaderName = customGroupHeader;
+ }
+ }
+
+ /**
+ * @param httpRequest
+ */
+ @Override
+ protected String getPrimaryPrincipal(HttpServletRequest httpRequest) {
+ return httpRequest.getHeader(headerName);
+ }
+
+ /**
+ * @param principals
+ */
+ @Override
+ protected void addGroupPrincipals(HttpServletRequest request, Set<Principal> principals) {
+ if (groupHeaderName != null) {
+ String headers = request.getHeader(groupHeaderName);
+ if (headers != null) {
+ String[] groups = headers.split(",");
+ for (int i = 0; i < groups.length; i++) {
+ principals.add(new GroupPrincipal(groups[i]));
+ }
+ }
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/af9b0c3d/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/IPValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/IPValidator.java b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/IPValidator.java
new file mode 100644
index 0000000..d0c9e5d
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/knox/gateway/preauth/filter/IPValidator.java
@@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.preauth.filter;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.knox.gateway.util.IpAddressValidator;
+
+/**
+ *
+ */
+public class IPValidator implements PreAuthValidator {
+ public static final String IP_ADDRESSES_PARAM = "preauth.ip.addresses";
+ public static final String IP_VALIDATION_METHOD_VALUE = "preauth.ip.validation";
+
+ public IPValidator() {
+ }
+
+ /**
+ * @param httpRequest
+ * @param filterConfig
+ * @return true if validated, otherwise false
+ * @throws PreAuthValidationException
+ */
+ @Override
+ public boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig)
+ throws PreAuthValidationException {
+ String ipParam = filterConfig.getInitParameter(IP_ADDRESSES_PARAM);
+ IpAddressValidator ipv = new IpAddressValidator(ipParam);
+ return ipv.validateIpAddress(httpRequest.getRemoteAddr());
+ }
+
+ /**
+ * Return unique validator name
+ *
+ * @return name of validator
+ */
+ @Override
+ public String getName() {
+ return IP_VALIDATION_METHOD_VALUE;
+ }
+}
\ No newline at end of file