Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 4C7D6200C85 for ; Tue, 16 May 2017 03:31:17 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 4B1BB160BCE; Tue, 16 May 2017 01:31:17 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 910A5160BC2 for ; Tue, 16 May 2017 03:31:16 +0200 (CEST) Received: (qmail 6956 invoked by uid 500); 16 May 2017 01:31:15 -0000 Mailing-List: contact commits-help@atlas.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@atlas.incubator.apache.org Delivered-To: mailing list commits@atlas.incubator.apache.org Received: (qmail 6947 invoked by uid 99); 16 May 2017 01:31:15 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 May 2017 01:31:15 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id E1F3218911C for ; Tue, 16 May 2017 01:31:14 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -4.222 X-Spam-Level: X-Spam-Status: No, score=-4.222 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id swyo7IRucIj5 for ; Tue, 16 May 2017 01:31:13 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with SMTP id 87AE55F5C6 for ; Tue, 16 May 2017 01:31:12 +0000 (UTC) Received: (qmail 6930 invoked by uid 99); 16 May 2017 01:31:11 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 May 2017 01:31:11 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id ADCEDDFF93; Tue, 16 May 2017 01:31:11 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: madhan@apache.org To: commits@atlas.incubator.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: incubator-atlas git commit: ATLAS-1767: Support KNOX SSO Token based authentication on Atlas REST API calls Date: Tue, 16 May 2017 01:31:11 +0000 (UTC) archived-at: Tue, 16 May 2017 01:31:17 -0000 Repository: incubator-atlas Updated Branches: refs/heads/0.8-incubating eff9eb7a8 -> 08d2d26fd ATLAS-1767: Support KNOX SSO Token based authentication on Atlas REST API calls Signed-off-by: Madhan Neethiraj (cherry picked from commit d7a139e11edd415786208f3c920da8a2f34d26c2) Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/08d2d26f Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/08d2d26f Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/08d2d26f Branch: refs/heads/0.8-incubating Commit: 08d2d26fde6490018104124c15dca7d5236c8fca Parents: eff9eb7 Author: nixonrodrigues Authored: Wed May 3 19:58:04 2017 +0530 Committer: Madhan Neethiraj Committed: Mon May 15 18:31:03 2017 -0700 ---------------------------------------------------------------------- .../AtlasKnoxSSOAuthenticationFilter.java | 25 ++++++++++++++------ 1 file changed, 18 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/08d2d26f/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java index c3219b9..d5fa003 100644 --- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java +++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasKnoxSSOAuthenticationFilter.java @@ -28,6 +28,7 @@ import com.nimbusds.jose.crypto.RSASSAVerifier; import com.nimbusds.jwt.SignedJWT; import org.apache.atlas.ApplicationProperties; import org.apache.atlas.web.security.AtlasAuthenticationProvider; +import org.apache.atlas.web.util.Servlets; import org.apache.commons.configuration.Configuration; import org.apache.commons.lang.StringUtils; import org.json.simple.JSONObject; @@ -57,6 +58,7 @@ import java.security.interfaces.RSAPublicKey; import java.text.ParseException; import java.util.Date; import java.util.List; +import org.apache.commons.lang.StringUtils; public class AtlasKnoxSSOAuthenticationFilter implements Filter { @@ -69,6 +71,7 @@ public class AtlasKnoxSSOAuthenticationFilter implements Filter { public static final String JWT_ORIGINAL_URL_QUERY_PARAM = "atlas.sso.knox.query.param.originalurl"; public static final String JWT_COOKIE_NAME_DEFAULT = "hadoop-jwt"; public static final String JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT = "originalUrl"; + public static final String DEFAULT_BROWSER_USERAGENT = "Mozilla,Opera,Chrome"; private SSOAuthenticationProperties jwtProperties; @@ -134,7 +137,7 @@ public class AtlasKnoxSSOAuthenticationFilter implements Filter { return; } - if (!isWebUserAgent(httpRequest.getHeader("User-Agent")) || jwtProperties == null || isAuthenticated()) { + if (jwtProperties == null || isAuthenticated()) { filterChain.doFilter(servletRequest, servletResponse); return; } @@ -171,18 +174,24 @@ public class AtlasKnoxSSOAuthenticationFilter implements Filter { filterChain.doFilter(servletRequest, httpServletResponse); } else { // if the token is not valid then redirect to knox sso - redirectToKnox(httpRequest,httpServletResponse); + redirectToKnox(httpRequest, httpServletResponse, filterChain); } } catch (ParseException e) { LOG.warn("Unable to parse the JWT token", e); + redirectToKnox(httpRequest, httpServletResponse, filterChain); } } else { - redirectToKnox(httpRequest,httpServletResponse); + redirectToKnox(httpRequest, httpServletResponse, filterChain); } } - private void redirectToKnox(HttpServletRequest httpRequest, HttpServletResponse httpServletResponse) throws IOException { + private void redirectToKnox(HttpServletRequest httpRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException { + + if (!isWebUserAgent(httpRequest.getHeader("User-Agent"))) { + filterChain.doFilter(httpRequest, httpServletResponse); + return; + } String ajaxRequestHeader = httpRequest.getHeader("X-Requested-With"); @@ -403,9 +412,11 @@ public class AtlasKnoxSSOAuthenticationFilter implements Filter { jwtProperties.setAuthenticationProviderUrl(providerUrl); jwtProperties.setCookieName(configuration.getString(JWT_COOKIE_NAME, JWT_COOKIE_NAME_DEFAULT)); jwtProperties.setOriginalUrlQueryParam(configuration.getString(JWT_ORIGINAL_URL_QUERY_PARAM, JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT)); - String userAgent = configuration.getString(BROWSER_USERAGENT); - if (userAgent != null && !userAgent.isEmpty()) { - jwtProperties.setUserAgentList(userAgent.split(",")); + String[] userAgent = configuration.getStringArray(BROWSER_USERAGENT); + if (userAgent != null && userAgent.length > 0) { + jwtProperties.setUserAgentList(userAgent); + } else { + jwtProperties.setUserAgentList(DEFAULT_BROWSER_USERAGENT.split(",")); } try { RSAPublicKey publicKey = parseRSAPublicKey(publicKeyPathStr);