You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sp...@apache.org on 2021/12/01 22:33:03 UTC

[ranger] branch master updated: RANGER-3468: Fixed an issue where inactivity timeout request is not handled properly when the requested sessionid is invalid

This is an automated email from the ASF dual-hosted git repository.

spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 6678ef7  RANGER-3468: Fixed an issue where inactivity timeout request is not handled properly when the requested sessionid is invalid
6678ef7 is described below

commit 6678ef77438d1289e0ade0cc2e7652a6bd836621
Author: Sailaja Polavarapu <sp...@cloudera.com>
AuthorDate: Wed Dec 1 14:32:40 2021 -0800

    RANGER-3468: Fixed an issue where inactivity timeout request is not handled properly when the requested sessionid is invalid
---
 .../web/filter/RangerKRBAuthenticationFilter.java  | 63 +++++++++++++---------
 1 file changed, 39 insertions(+), 24 deletions(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
index c0ff06e..2d3308b 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
@@ -394,11 +394,21 @@ public class RangerKRBAuthenticationFilter extends RangerKrbFilter {
 				}
 			}else{
 				try{
-					super.doFilter(request, response, filterChain);
+					if (LOG.isDebugEnabled()) {
+						LOG.debug("isSpnegoEnable = " + isSpnegoEnable(authtype) + " userName = " + userName + " request URL = " + getRequestURL(httpRequest));
+						if (existingAuth!=null) {
+							LOG.debug("isAuthenticated: " + existingAuth.isAuthenticated());
+						}
+					}
+					if (StringUtils.equals(httpRequest.getParameter("action"), RestUtil.TIMEOUT_ACTION)) {
+						handleTimeoutRequest(httpRequest, (HttpServletResponse) response);
+					} else {
+						super.doFilter(request, response, filterChain);
+					}
 				}catch(Exception e){
 					throw restErrorUtil.createRESTException("RangerKRBAuthenticationFilter Failed : "+e.getMessage());
-				}				
-			}	
+				}
+			}
 		} else {
 			String action = httpRequest.getParameter("action");
 			String doAsUser = request.getParameter("doAs");
@@ -411,33 +421,38 @@ public class RangerKRBAuthenticationFilter extends RangerKrbFilter {
 			if (allowTrustedProxy && StringUtils.isNotEmpty(doAsUser) && existingAuth.isAuthenticated()
 					&& StringUtils.equals(action, RestUtil.TIMEOUT_ACTION)) {
 				HttpServletResponse httpResponse = (HttpServletResponse) response;
-				String xForwardedURL = RestUtil.constructForwardableURL(httpRequest);
-				if (LOG.isDebugEnabled()) {
-					LOG.debug("xForwardedURL = " + xForwardedURL);
-				}
-				String logoutUrl = xForwardedURL;
-				logoutUrl =  StringUtils.replace(logoutUrl, httpRequest.getRequestURI(), LOGOUT_URL);
-				if (LOG.isDebugEnabled()) {
-					LOG.debug("logoutUrl value is " + logoutUrl);
-				}
-				String redirectUrl = RestUtil.constructRedirectURL(httpRequest, logoutUrl, xForwardedURL, originalUrlQueryParam);
-
-				if (LOG.isDebugEnabled()) {
-					LOG.debug("Redirect URL = " + redirectUrl);
-					LOG.debug("session id = " + httpRequest.getRequestedSessionId());
-				}
-
-				HttpSession httpSession = httpRequest.getSession(false);
-				if (httpSession != null) {
-					httpSession.invalidate();
-				}
-				httpResponse.sendRedirect(redirectUrl);
+				handleTimeoutRequest(httpRequest, httpResponse);
 			} else {
 				filterChain.doFilter(request, response);
 			}
 		}
 	}
 
+	private void handleTimeoutRequest(HttpServletRequest httpRequest, HttpServletResponse httpResponse) throws IOException{
+		String xForwardedURL = RestUtil.constructForwardableURL(httpRequest);
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("xForwardedURL = " + xForwardedURL);
+		}
+		String logoutUrl = xForwardedURL;
+		logoutUrl =  StringUtils.replace(logoutUrl, httpRequest.getRequestURI(), LOGOUT_URL);
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("logoutUrl value is " + logoutUrl);
+		}
+		String redirectUrl = RestUtil.constructRedirectURL(httpRequest, logoutUrl, xForwardedURL, originalUrlQueryParam);
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("Redirect URL = " + redirectUrl);
+			LOG.debug("session id = " + httpRequest.getRequestedSessionId());
+		}
+
+		HttpSession httpSession = httpRequest.getSession(false);
+		if (httpSession != null) {
+			httpSession.invalidate();
+		}
+		httpResponse.setHeader("Content-Type", "application/x-http-headers");
+		httpResponse.sendRedirect(redirectUrl);
+	}
+
 	private boolean isSpnegoEnable(String authType){
 		String principal = PropertiesUtil.getProperty(PRINCIPAL);
 		String keytabPath = PropertiesUtil.getProperty(KEYTAB);