You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@atlas.apache.org by kb...@apache.org on 2019/11/05 08:00:21 UTC
[atlas] branch master updated: ATLAS-3490: Added headers in atlas
api
This is an automated email from the ASF dual-hosted git repository.
kbhatt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/atlas.git
The following commit(s) were added to refs/heads/master by this push:
new 9115e7d ATLAS-3490: Added headers in atlas api
9115e7d is described below
commit 9115e7d2da68a4d05d63415c6e691740c1cabed3
Author: Mandar Ambawane <ma...@freestoneinfotech.com>
AuthorDate: Mon Nov 4 19:50:06 2019 +0530
ATLAS-3490: Added headers in atlas api
Signed-off-by: kevalbhatt <kb...@apache.org>
---
.../web/filters/AtlasAuthenticationFilter.java | 8 +--
.../web/filters/AtlasCSRFPreventionFilter.java | 2 +-
.../atlas/web/filters/AtlasHeaderFilter.java | 49 ++++++++++++++++
.../filters/AtlasKnoxSSOAuthenticationFilter.java | 12 ++--
.../org/apache/atlas/web/filters/HeadersUtil.java | 68 ++++++++++++++++++++++
.../atlas/web/security/AtlasSecurityConfig.java | 15 ++---
webapp/src/main/webapp/WEB-INF/web.xml | 15 +++++
7 files changed, 145 insertions(+), 24 deletions(-)
diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
index f56aeb4..d9b1c82 100644
--- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java
@@ -333,10 +333,10 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter {
HttpServletResponse httpResponse = (HttpServletResponse) response;
AtlasResponseRequestWrapper responseWrapper = new AtlasResponseRequestWrapper(httpResponse);
- responseWrapper.setHeader("X-Frame-Options", "DENY");
- responseWrapper.setHeader("X-Content-Type-Options", "nosniff");
- responseWrapper.setHeader("X-XSS-Protection", "1; mode=block");
- responseWrapper.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
+ HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.X_FRAME_OPTIONS_KEY);
+ HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.X_CONTENT_TYPE_OPTIONS_KEY);
+ HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.X_XSS_PROTECTION_KEY);
+ HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.STRICT_TRANSPORT_SEC_KEY);
if (headerProperties != null) {
for (String headerKey : headerProperties.stringPropertyNames()) {
diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasCSRFPreventionFilter.java b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasCSRFPreventionFilter.java
index 277ac22..df3fce6 100644
--- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasCSRFPreventionFilter.java
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasCSRFPreventionFilter.java
@@ -184,7 +184,7 @@ public class AtlasCSRFPreventionFilter implements Filter {
final HttpServletRequest httpRequest = (HttpServletRequest) request;
final HttpServletResponse httpResponse = (HttpServletResponse) response;
AtlasResponseRequestWrapper responseWrapper = new AtlasResponseRequestWrapper(httpResponse);
- responseWrapper.setHeader("X-Frame-Options", "DENY");
+ HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.X_FRAME_OPTIONS_KEY);
if (isCSRF_ENABLED){
handleHttpInteraction(new ServletFilterHttpInteraction(httpRequest, httpResponse, chain));
diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasHeaderFilter.java b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasHeaderFilter.java
new file mode 100644
index 0000000..fa7218c
--- /dev/null
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasHeaderFilter.java
@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.web.filters;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class AtlasHeaderFilter implements Filter {
+ private static final Logger LOG = LoggerFactory.getLogger(AtlasHeaderFilter.class);
+
+ @Override
+ public void init(FilterConfig filterConfig) {
+ }
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
+ throws IOException, ServletException {
+ setHeaders((HttpServletResponse) response);
+ filterChain.doFilter(request, response);
+ }
+
+ public void setHeaders(HttpServletResponse httpResponse) {
+ AtlasResponseRequestWrapper responseWrapper = new AtlasResponseRequestWrapper(httpResponse);
+ HeadersUtil.setSecurityHeaders(responseWrapper);
+ }
+
+ @Override
+ public void destroy() {
+ }
+}
diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java
index 8bac8c6..1944a9f 100644
--- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java
@@ -28,7 +28,6 @@ import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.web.security.AtlasAuthenticationProvider;
-import org.apache.atlas.web.util.Servlets;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.lang.StringUtils;
import org.apache.http.client.utils.URIBuilder;
@@ -50,7 +49,6 @@ import javax.servlet.*;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import javax.ws.rs.core.UriBuilder;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
@@ -67,7 +65,6 @@ import java.util.List;
import java.util.HashMap;
import java.util.Map;
import java.util.Enumeration;
-import org.apache.commons.lang.StringUtils;
@Component("ssoAuthenticationFilter")
@@ -136,11 +133,10 @@ public class AtlasKnoxSSOAuthenticationFilter implements Filter {
HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
AtlasResponseRequestWrapper responseWrapper = new AtlasResponseRequestWrapper(httpResponse);
- responseWrapper.setHeader("X-Frame-Options", "DENY");
- responseWrapper.setHeader("X-Content-Type-Options", "nosniff");
- responseWrapper.setHeader("X-XSS-Protection", "1; mode=block");
- responseWrapper.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
-
+ HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.X_FRAME_OPTIONS_KEY);
+ HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.X_CONTENT_TYPE_OPTIONS_KEY);
+ HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.X_XSS_PROTECTION_KEY);
+ HeadersUtil.setHeaderMapAttributes(responseWrapper, HeadersUtil.STRICT_TRANSPORT_SEC_KEY);
if (!ssoEnabled) {
filterChain.doFilter(servletRequest, servletResponse);
diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/HeadersUtil.java b/webapp/src/main/java/org/apache/atlas/web/filters/HeadersUtil.java
new file mode 100644
index 0000000..acae4f5
--- /dev/null
+++ b/webapp/src/main/java/org/apache/atlas/web/filters/HeadersUtil.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.atlas.web.filters;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+
+import java.util.HashMap;
+import java.util.Map;
+
+@Component
+public class HeadersUtil {
+
+ private static final Logger LOG = LoggerFactory.getLogger(HeadersUtil.class);
+
+ public static final Map<String, String> headerMap = new HashMap<>();
+
+
+ public static final String X_FRAME_OPTIONS_KEY = "X-Frame-Options";
+ public static final String X_CONTENT_TYPE_OPTIONS_KEY = "X-Content-Type-Options";
+ public static final String X_XSS_PROTECTION_KEY = "X-XSS-Protection";
+ public static final String STRICT_TRANSPORT_SEC_KEY = "Strict-Transport-Security";
+ public static final String CONTENT_SEC_POLICY_KEY = "Content-Security-Policy";
+ public static final String SERVER_KEY = "Server";
+
+ public static final String X_FRAME_OPTIONS_VAL = "DENY";
+ public static final String X_CONTENT_TYPE_OPTIONS_VAL = "nosniff";
+ public static final String X_XSS_PROTECTION_VAL = "1; mode=block";
+ public static final String STRICT_TRANSPORT_SEC_VAL = "max-age=31536000; includeSubDomains";
+ public static final String CONTENT_SEC_POLICY_VAL = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; connect-src 'self'; img-src 'self' blob: data:; style-src 'self' 'unsafe-inline';font-src 'self' data:";
+ public static final String SERVER_VAL = "Apache Atlas";
+
+ HeadersUtil() {
+ headerMap.put(X_FRAME_OPTIONS_KEY, X_FRAME_OPTIONS_VAL);
+ headerMap.put(X_CONTENT_TYPE_OPTIONS_KEY, X_CONTENT_TYPE_OPTIONS_VAL);
+ headerMap.put(X_XSS_PROTECTION_KEY, X_XSS_PROTECTION_VAL);
+ headerMap.put(STRICT_TRANSPORT_SEC_KEY, STRICT_TRANSPORT_SEC_VAL);
+ headerMap.put(CONTENT_SEC_POLICY_KEY, CONTENT_SEC_POLICY_VAL);
+ headerMap.put(SERVER_KEY, SERVER_VAL);
+ }
+
+ public static void setHeaderMapAttributes(AtlasResponseRequestWrapper responseWrapper, String headerKey) {
+ responseWrapper.setHeader(headerKey, headerMap.get(headerKey));
+
+ }
+
+ public static void setSecurityHeaders(AtlasResponseRequestWrapper responseWrapper) {
+ for (Map.Entry<String, String> entry : headerMap.entrySet()) {
+ responseWrapper.setHeader(entry.getKey(), entry.getValue());
+ }
+ }
+}
diff --git a/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java b/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java
index 0b1bbd8..c3565d4 100644
--- a/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java
+++ b/webapp/src/main/java/org/apache/atlas/web/security/AtlasSecurityConfig.java
@@ -17,12 +17,7 @@
*/
package org.apache.atlas.web.security;
-import org.apache.atlas.web.filters.ActiveServerFilter;
-import org.apache.atlas.web.filters.AtlasAuthenticationEntryPoint;
-import org.apache.atlas.web.filters.AtlasAuthenticationFilter;
-import org.apache.atlas.web.filters.AtlasCSRFPreventionFilter;
-import org.apache.atlas.web.filters.AtlasKnoxSSOAuthenticationFilter;
-import org.apache.atlas.web.filters.StaleTransactionCleanupFilter;
+import org.apache.atlas.web.filters.*;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.lang.StringUtils;
import org.keycloak.adapters.AdapterDeploymentContext;
@@ -33,9 +28,7 @@ import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean;
import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint;
-import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler;
-import org.keycloak.adapters.springsecurity.config.KeycloakSpringConfigResolverWrapper;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
@@ -192,9 +185,9 @@ public class AtlasSecurityConfig extends WebSecurityConfigurerAdapter {
.authorizeRequests().anyRequest().authenticated()
.and()
.headers()
- .addHeaderWriter(new StaticHeadersWriter("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; connect-src 'self'; img-src 'self' blob: data:; style-src 'self' 'unsafe-inline';font-src 'self' data:"))
- .addHeaderWriter(new StaticHeadersWriter("Server","Apache Atlas"))
- .and()
+ .addHeaderWriter(new StaticHeadersWriter(HeadersUtil.CONTENT_SEC_POLICY_KEY, HeadersUtil.headerMap.get(HeadersUtil.CONTENT_SEC_POLICY_KEY)))
+ .addHeaderWriter(new StaticHeadersWriter(HeadersUtil.SERVER_KEY, HeadersUtil.headerMap.get(HeadersUtil.SERVER_KEY)))
+ .and()
.servletApi()
.and()
.csrf().disable()
diff --git a/webapp/src/main/webapp/WEB-INF/web.xml b/webapp/src/main/webapp/WEB-INF/web.xml
index 8f3f175..2595a15 100755
--- a/webapp/src/main/webapp/WEB-INF/web.xml
+++ b/webapp/src/main/webapp/WEB-INF/web.xml
@@ -81,6 +81,21 @@
<url-pattern>/*</url-pattern>
</filter-mapping>
+ <filter>
+ <filter-name>HeaderFilter</filter-name>
+ <filter-class>org.apache.atlas.web.filters.AtlasHeaderFilter</filter-class>
+ </filter>
+
+ <filter-mapping>
+ <filter-name>HeaderFilter</filter-name>
+ <url-pattern>/api/atlas/admin/metrics</url-pattern>
+ </filter-mapping>
+
+ <filter-mapping>
+ <filter-name>HeaderFilter</filter-name>
+ <url-pattern>/api/atlas/admin/status</url-pattern>
+ </filter-mapping>
+
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>