You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2017/05/20 17:38:12 UTC
knox git commit: KNOX-933 - PicketLink Provider must set Secure and
HTTPOnly flags on Cookie (Krishna Pandey via lmccay)
Repository: knox
Updated Branches:
refs/heads/master d0726a227 -> 8c1c94b9e
KNOX-933 - PicketLink Provider must set Secure and HTTPOnly flags on Cookie (Krishna Pandey via lmccay)
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/8c1c94b9
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/8c1c94b9
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/8c1c94b9
Branch: refs/heads/master
Commit: 8c1c94b9e81d5a624075448be75702ffa08e40c5
Parents: d0726a2
Author: Larry McCay <lm...@hortonworks.com>
Authored: Sat May 20 13:37:07 2017 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Sat May 20 13:37:07 2017 -0400
----------------------------------------------------------------------
.../gateway/picketlink/PicketlinkMessages.java | 3 +++
.../filter/CaptureOriginalURLFilter.java | 19 +++++++++++++++++--
2 files changed, 20 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/8c1c94b9/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java
index d60d5b3..c49030f 100644
--- a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java
+++ b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java
@@ -31,6 +31,9 @@ public interface PicketlinkMessages {
@Message( level = MessageLevel.DEBUG, text = "setting cookie for original-url")
public void settingCookieForOriginalURL();
+ @Message( level = MessageLevel.DEBUG, text = "Secure Flag is set to False for cookie")
+ public void secureFlagFalseForCookie();
+
@Message( level = MessageLevel.ERROR, text = "Unable to get the gateway identity passphrase: {0}")
public void unableToGetGatewayIdentityPassphrase(@StackTrace( level = MessageLevel.DEBUG) Exception e);
http://git-wip-us.apache.org/repos/asf/knox/blob/8c1c94b9/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java
index 540a81a..66da6c4 100644
--- a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java
+++ b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java
@@ -34,8 +34,10 @@ import java.io.IOException;
public class CaptureOriginalURLFilter implements Filter {
private static PicketlinkMessages log = MessagesFactory.get( PicketlinkMessages.class );
- private static final String COOKIE_PATH = "cookie.path";
+ private static final String COOKIE_PATH = "cookie.path";
+ private static final String COOKIE_SECURE = "cookie.secure";
private String cookiePath = null;
+ private String cookieSecure = null;
@Override
public void init( FilterConfig filterConfig ) throws ServletException {
@@ -43,6 +45,10 @@ public class CaptureOriginalURLFilter implements Filter {
if (cookiePath == null) {
cookiePath = "/gateway/idp/knoxsso/api/v1/websso";
}
+ cookieSecure = filterConfig.getInitParameter(COOKIE_SECURE);
+ if (cookieSecure == null) {
+ cookieSecure = "true";
+ }
}
@Override
@@ -63,10 +69,19 @@ public class CaptureOriginalURLFilter implements Filter {
public void destroy() {
}
-
+
private void addCookie(ServletResponse servletResponse, String original) {
Cookie c = new Cookie("original-url", original);
c.setPath(cookiePath);
+ c.setHttpOnly(true);
+ boolean secureOnly = true;
+ if (cookieSecure != null) {
+ secureOnly = ("false".equals(cookieSecure) ? false : true);
+ if (!secureOnly) {
+ log.secureFlagFalseForCookie();
+ }
+ }
+ c.setSecure(secureOnly);
c.setMaxAge(60);
((HttpServletResponse)servletResponse).addCookie(c);
}