You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2017/05/20 17:38:12 UTC

knox git commit: KNOX-933 - PicketLink Provider must set Secure and HTTPOnly flags on Cookie (Krishna Pandey via lmccay)

Repository: knox
Updated Branches:
  refs/heads/master d0726a227 -> 8c1c94b9e


KNOX-933 - PicketLink Provider must set Secure and HTTPOnly flags on Cookie (Krishna Pandey via lmccay)

Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/8c1c94b9
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/8c1c94b9
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/8c1c94b9

Branch: refs/heads/master
Commit: 8c1c94b9e81d5a624075448be75702ffa08e40c5
Parents: d0726a2
Author: Larry McCay <lm...@hortonworks.com>
Authored: Sat May 20 13:37:07 2017 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Sat May 20 13:37:07 2017 -0400

----------------------------------------------------------------------
 .../gateway/picketlink/PicketlinkMessages.java   |  3 +++
 .../filter/CaptureOriginalURLFilter.java         | 19 +++++++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/8c1c94b9/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java
index d60d5b3..c49030f 100644
--- a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java
+++ b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java
@@ -31,6 +31,9 @@ public interface PicketlinkMessages {
   @Message( level = MessageLevel.DEBUG, text = "setting cookie for original-url")
   public void settingCookieForOriginalURL();
 
+  @Message( level = MessageLevel.DEBUG, text = "Secure Flag is set to False for cookie")
+  public void secureFlagFalseForCookie();
+
   @Message( level = MessageLevel.ERROR, text = "Unable to get the gateway identity passphrase: {0}")
   public void unableToGetGatewayIdentityPassphrase(@StackTrace( level = MessageLevel.DEBUG) Exception e);
 

http://git-wip-us.apache.org/repos/asf/knox/blob/8c1c94b9/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java
index 540a81a..66da6c4 100644
--- a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java
+++ b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java
@@ -34,8 +34,10 @@ import java.io.IOException;
 
 public class CaptureOriginalURLFilter implements Filter {
   private static PicketlinkMessages log = MessagesFactory.get( PicketlinkMessages.class );
-  private static final String COOKIE_PATH = "cookie.path"; 
+  private static final String COOKIE_PATH = "cookie.path";
+  private static final String COOKIE_SECURE = "cookie.secure";
   private String cookiePath = null;
+  private String cookieSecure = null;
 
   @Override
   public void init( FilterConfig filterConfig ) throws ServletException {
@@ -43,6 +45,10 @@ public class CaptureOriginalURLFilter implements Filter {
     if (cookiePath == null) {
       cookiePath = "/gateway/idp/knoxsso/api/v1/websso";
     }
+    cookieSecure = filterConfig.getInitParameter(COOKIE_SECURE);
+    if (cookieSecure == null) {
+      cookieSecure = "true";
+    }
   }
 
   @Override
@@ -63,10 +69,19 @@ public class CaptureOriginalURLFilter implements Filter {
   public void destroy() {
 
   }
-  
+
   private void addCookie(ServletResponse servletResponse, String original) {
     Cookie c = new Cookie("original-url", original);
     c.setPath(cookiePath);
+    c.setHttpOnly(true);
+    boolean secureOnly = true;
+    if (cookieSecure != null) {
+      secureOnly = ("false".equals(cookieSecure) ? false : true);
+      if (!secureOnly) {
+        log.secureFlagFalseForCookie();
+      }
+    }
+    c.setSecure(secureOnly);
     c.setMaxAge(60);
     ((HttpServletResponse)servletResponse).addCookie(c);
   }