You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@oozie.apache.org by rk...@apache.org on 2013/02/27 00:45:24 UTC
svn commit: r1450534 - in /oozie/trunk:
docs/src/site/twiki/ENG_Custom_Authentication.twiki
login/src/main/java/org/apache/oozie/servlet/login/LoginServlet.java
login/src/main/webapp/WEB-INF/web.xml release-log.txt
Author: rkanter
Date: Tue Feb 26 23:45:23 2013
New Revision: 1450534
URL: http://svn.apache.org/r1450534
Log:
OOZIE-1220 Make the login example cookie expire (rkanter)
Modified:
oozie/trunk/docs/src/site/twiki/ENG_Custom_Authentication.twiki
oozie/trunk/login/src/main/java/org/apache/oozie/servlet/login/LoginServlet.java
oozie/trunk/login/src/main/webapp/WEB-INF/web.xml
oozie/trunk/release-log.txt
Modified: oozie/trunk/docs/src/site/twiki/ENG_Custom_Authentication.twiki
URL: http://svn.apache.org/viewvc/oozie/trunk/docs/src/site/twiki/ENG_Custom_Authentication.twiki?rev=1450534&r1=1450533&r2=1450534&view=diff
==============================================================================
--- oozie/trunk/docs/src/site/twiki/ENG_Custom_Authentication.twiki (original)
+++ oozie/trunk/docs/src/site/twiki/ENG_Custom_Authentication.twiki Tue Feb 26 23:45:23 2013
@@ -238,10 +238,27 @@ included with a GET request will go, and
The above value, which is the default, is a basic html page that has fields for the username and password and meets the previously
stated requirements.
+The =oozie.web.login.auth= cookie will expire 3 minutes after being given to the user. Once the user has been redirected back to
+the Oozie web console and given the AuthenticationToken, the =oozie.web.login.auth= cookie is no longer used. If the
+AuthenticationToken expires but the user still has a valid =oozie.web.login.auth= cookie, the ExampleAltAuthenticationHandler will
+simply give out a new AuthenticationToken; the desired behavior is that the user is bounced back to the oozie-login.war server to
+re-authenticate, hence the very short lifetime of the =oozie.web.login.auth= cookie. However, the expiration time of the cookie
+is configurable by changing the following parameter in the web.xml in the oozie-login.war file (or in the
+login/src/main/webapp/WEB-INF/ directory before building it). It is given in seconds. A positive value indicates that the cookie
+will expire after that many seconds have passed; make sure this value is high enough to allow the user to be forwarded to the
+backurl before the cookie expires. A negative value indicates that the cookie will be deleted when the browser exits.
+<verbatim>
+ <init-param>
+ <param-name>login.auth.cookie.expire.time</param-name>
+ <param-value>180</param-value>
+ </init-param>
+</verbatim>
+The above value, which is the default, is the number of seconds in 3 minutes.
+
---+++ LDAPLoginServlet
This is a second web servlet that gets bundled in the oozie-login.war web application. It inherits from the LoginServlet, so the
-previous configuration information (i.e. login.page.template) still applies to this servlet. The only difference between the
+previous configuration information (e.g. login.page.template) still applies to this servlet. The only difference between the
LDAPLoginServlet and the LoginServlet, is that the LDAPLoginServlet is configured against an LDAP server to provide the
authentication instead of simply checking that the username and password are equal. As before, this is not secure and should not be
used in production; it is only provided as an example.
@@ -252,7 +269,9 @@ The oozie-login.war web application is c
have to change the following line in the web.xml from:
<verbatim>
<servlet-class>org.apache.oozie.servlet.login.LoginServlet</servlet-class>
+</verbatim>
to:
+<verbatim>
<servlet-class>org.apache.oozie.servlet.login.LDAPLoginServlet</servlet-class>
</verbatim>
Modified: oozie/trunk/login/src/main/java/org/apache/oozie/servlet/login/LoginServlet.java
URL: http://svn.apache.org/viewvc/oozie/trunk/login/src/main/java/org/apache/oozie/servlet/login/LoginServlet.java?rev=1450534&r1=1450533&r2=1450534&view=diff
==============================================================================
--- oozie/trunk/login/src/main/java/org/apache/oozie/servlet/login/LoginServlet.java (original)
+++ oozie/trunk/login/src/main/java/org/apache/oozie/servlet/login/LoginServlet.java Tue Feb 26 23:45:23 2013
@@ -44,6 +44,16 @@ public class LoginServlet extends HttpSe
private static final String LOGIN_PAGE_TEMPLATE_DEFAULT = "login-page-template.html";
private String loginPageTemplate;
+ /**
+ * Constant for the configuration property that indicates the expiration time (or max age) of the "oozie.web.login.auth" cookie.
+ * It is given in seconds. A positive value indicates that the cookie will expire after that many seconds have passed; make
+ * sure this value is high enough to allow the user to be forwarded to the backurl before the cookie expires. A negative value
+ * indicates that the cookie will be deleted when the browser exits.
+ */
+ public static final String LOGIN_AUTH_COOKIE_EXPIRE_TIME = "login.auth.cookie.expire.time";
+ private static final int LOGIN_AUTH_COOKIE_EXPIRE_TIME_DEFAULT = 180; // 3 minutes
+ private int loginAuthCookieExpireTime;
+
private static final String USERNAME = "username";
private static final String PASSWORD = "password";
private static final String BACKURL = "backurl";
@@ -72,6 +82,20 @@ public class LoginServlet extends HttpSe
} catch (IOException ex) {
throw new ServletException("Could not read resource [" + loginPageTemplateName + "]");
}
+
+ // Read in the cookie expiration time
+ String cookieExpireTime = getInitParameter(LOGIN_AUTH_COOKIE_EXPIRE_TIME);
+ if (cookieExpireTime == null) {
+ loginAuthCookieExpireTime = LOGIN_AUTH_COOKIE_EXPIRE_TIME_DEFAULT;
+ }
+ else {
+ try {
+ loginAuthCookieExpireTime = Integer.parseInt(cookieExpireTime);
+ }
+ catch (NumberFormatException nfe) {
+ throw new ServletException(LOGIN_AUTH_COOKIE_EXPIRE_TIME + " must be a valid integer", nfe);
+ }
+ }
}
protected void renderLoginPage(String message, String username, String backUrl, HttpServletResponse resp)
@@ -150,6 +174,7 @@ public class LoginServlet extends HttpSe
protected void writeCookie(HttpServletResponse resp, String username) throws UnsupportedEncodingException {
Cookie cookie = new Cookie("oozie.web.login.auth", URLEncoder.encode(username, "UTF-8"));
cookie.setPath("/");
+ cookie.setMaxAge(loginAuthCookieExpireTime);
resp.addCookie(cookie);
}
}
Modified: oozie/trunk/login/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/oozie/trunk/login/src/main/webapp/WEB-INF/web.xml?rev=1450534&r1=1450533&r2=1450534&view=diff
==============================================================================
--- oozie/trunk/login/src/main/webapp/WEB-INF/web.xml (original)
+++ oozie/trunk/login/src/main/webapp/WEB-INF/web.xml Tue Feb 26 23:45:23 2013
@@ -39,6 +39,17 @@
console).
</description>
</init-param>
+ <init-param>
+ <param-name>login.auth.cookie.expire.time</param-name>
+ <param-value>180</param-value>
+ <description>
+ Constant for the configuration property that indicates the expiration time (or max age) of the
+ "oozie.web.login.auth" cookie. It is given in seconds. A positive value indicates that the cookie will expire
+ after that many seconds have passed; make sure this value is high enough to allow the user to be forwarded to the
+ backurl before the cookie expires. A negative value indicates that the cookie will be deleted when the browser
+ exits.
+ </description>
+ </init-param>
-->
<!--
<init-param>
Modified: oozie/trunk/release-log.txt
URL: http://svn.apache.org/viewvc/oozie/trunk/release-log.txt?rev=1450534&r1=1450533&r2=1450534&view=diff
==============================================================================
--- oozie/trunk/release-log.txt (original)
+++ oozie/trunk/release-log.txt Tue Feb 26 23:45:23 2013
@@ -55,6 +55,7 @@ OOZIE-944 Implement Workflow Generator U
-- Oozie 3.3.2 (unreleased)
+OOZIE-1220 Make the login example cookie expire (rkanter)
OOZIE-1227 In a coordinator, specifying the <app-path> without a namenode causes it to fail (rkanter)
OOZIE-1226 Workflow lib path not found in classpath for a subworkflow (rkanter)
OOZIE-1184 Demo example job.properties has an unused parameter (udai via rkanter)