ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gau...@apache.org
Subject incubator-ranger git commit: RANGER-759 : Fix Ranger Knox SSO logout/session expired issues
Date Thu, 03 Dec 2015 03:32:22 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/master af8377f27 -> 10d755acd


RANGER-759 : Fix Ranger Knox SSO logout/session expired issues


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/10d755ac
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/10d755ac
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/10d755ac

Branch: refs/heads/master
Commit: 10d755acd15d4b7a604571838559eca0e9f44150
Parents: af8377f
Author: Gautam Borad <gautam@apache.org>
Authored: Wed Dec 2 14:23:10 2015 +0530
Committer: Gautam Borad <gautam@apache.org>
Committed: Thu Dec 3 09:02:08 2015 +0530

----------------------------------------------------------------------
 .../CustomLogoutSuccessHandler.java             |  2 ++
 .../RangerAuthenticationEntryPoint.java         |  1 +
 .../filter/RangerSSOAuthenticationFilter.java   | 33 ++++++++++++++------
 .../webapp/scripts/views/common/ProfileBar.js   | 25 ++++++++-------
 4 files changed, 39 insertions(+), 22 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
index 6a91834..237fb50 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
@@ -43,6 +43,8 @@ public class CustomLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler
 			HttpServletResponse response, Authentication authentication)
 			throws IOException, ServletException {
 
+		request.getServletContext().removeAttribute(request.getRequestedSessionId());
+		
 		response.setContentType("application/json;charset=UTF-8");
 		response.setHeader("Cache-Control", "no-cache");
 		response.setHeader("X-Frame-Options", "DENY");

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
index 0b61498..b3d59eb 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
@@ -133,6 +133,7 @@ public class RangerAuthenticationEntryPoint extends
 			if(requestURL.contains(RangerSSOAuthenticationFilter.LOCAL_LOGIN_URL)){
 				if (request.getSession() != null)
 					request.getSession().setAttribute("locallogin","true");
+					request.getServletContext().setAttribute(request.getSession().getId(), "locallogin");
 			}
 			super.commence(request, response, authException);
 		}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
index af3c58a..f79db6b 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
@@ -108,26 +108,37 @@ public class RangerSSOAuthenticationFilter implements Filter {
 	@Override
 	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain
filterChain)throws IOException, ServletException {
 		
+		HttpServletRequest httpRequest = (HttpServletRequest)servletRequest;
+        if (httpRequest.getRequestedSessionId() != null && !httpRequest.isRequestedSessionIdValid())
+        {   
+        	if(httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId())
!= null && httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()).toString().equals("locallogin")){
+        		ssoEnabled = false;
+        		httpRequest.getSession().setAttribute("locallogin","true");
+        		httpRequest.getServletContext().removeAttribute(httpRequest.getRequestedSessionId());
+        	}
+        }		
+		
 		RangerSecurityContext context = RangerContextHolder.getSecurityContext();
 		UserSessionBase session = context != null ? context.getUserSession() : null;
 		ssoEnabled = session != null ? session.isSSOEnabled() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled",
false);
 		
-		String userAgent = ((HttpServletRequest)servletRequest).getHeader("User-Agent");
-		if(((HttpServletRequest) servletRequest).getSession() != null){
-			if(((HttpServletRequest) servletRequest).getSession().getAttribute("locallogin") != null){
+		String userAgent = httpRequest.getHeader("User-Agent");
+		if(httpRequest.getSession() != null){
+			if(httpRequest.getSession().getAttribute("locallogin") != null){
 				ssoEnabled = false;
 				servletRequest.setAttribute("ssoEnabled", false);
 				filterChain.doFilter(servletRequest, servletResponse);
 				return;
 			}
-		}
+		}		
+		
 		//If sso is enable and request is not for local login and is from browser then it will
go inside and try for knox sso authentication 
-		if (ssoEnabled && !((HttpServletRequest) servletRequest).getRequestURI().contains(LOCAL_LOGIN_URL)
&& isWebUserAgent(userAgent)) {
+		if (ssoEnabled && !httpRequest.getRequestURI().contains(LOCAL_LOGIN_URL) &&
isWebUserAgent(userAgent)) {
 			//if jwt properties are loaded and is current not authenticated then it will go for sso
authentication
+			//Note : Need to remove !isAuthenticated() after knoxsso solve the bug from cross-origin
script
 			if (jwtProperties != null && !isAuthenticated()) {
-				HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
 				HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
-				String serializedJWT = getJWTFromCookie(httpServletRequest);
+				String serializedJWT = getJWTFromCookie(httpRequest);
 				// if we get the hadoop-jwt token from the cookies then will process it further
 				if (serializedJWT != null) {
 					SignedJWT jwtToken = null;
@@ -144,9 +155,11 @@ public class RangerSSOAuthenticationFilter implements Filter {
 							if (userName != null && !userName.trim().isEmpty()) {
 								final List<GrantedAuthority> grantedAuths = new ArrayList<>();
 								grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
+								grantedAuths.add(new SimpleGrantedAuthority("ROLE_SYS_ADMIN"));
+								grantedAuths.add(new SimpleGrantedAuthority("ROLE_KEY_ADMIN"));
 								final UserDetails principal = new User(userName, "",grantedAuths);
 								final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal,
"", grantedAuths);
-								WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpServletRequest);
+								WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpRequest);
 								((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails);
 								RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider();
 								authenticationProvider.setSsoEnabled(ssoEnabled);
@@ -158,7 +171,7 @@ public class RangerSSOAuthenticationFilter implements Filter {
 						}
 						// if the token is not valid then redirect to knox sso  
 						else {
-							String ssourl = constructLoginURL(httpServletRequest);
+							String ssourl = constructLoginURL(httpRequest);
 							if(LOG.isDebugEnabled())
 								LOG.debug("SSO URL = " + ssourl);
 							httpServletResponse.sendRedirect(ssourl);
@@ -169,7 +182,7 @@ public class RangerSSOAuthenticationFilter implements Filter {
 				}
 				// if the jwt token is not available then redirect it to knox sso 
 				else {
-					String ssourl = constructLoginURL(httpServletRequest);
+					String ssourl = constructLoginURL(httpRequest);
 					if(LOG.isDebugEnabled())
 						LOG.debug("SSO URL = " + ssourl);
 					httpServletResponse.sendRedirect(ssourl);

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
index 0bb9648..c6301c3 100644
--- a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
+++ b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
@@ -49,10 +49,10 @@ define(function(require){
 		events: function() {
 			var events = {};
 			//events['change ' + this.ui.input]  = 'onInputChange';
-			events['click ' + this.ui.logout]  = 'onLogout';
+			events['click ' + this.ui.logout]  = 'checkKnoxSSO';
 			return events;
 		},
-		onLogout : function(){
+		onLogout : function(checksso){
 			var url = 'security-admin-web/logout.html',
 			that = this;
 			$.ajax({
@@ -62,8 +62,15 @@ define(function(require){
 					"cache-control" : "no-cache"
 				},
 				success : function() {
-					that.checkKnoxSSO()
-//					window.location.replace('login.jsp');
+					if(!_.isUndefined(checksso) && checksso){
+						if(checksso == 'false'){
+							window.location.replace('locallogin');
+						}else{
+							window.location.replace('');
+						}
+					} else {
+						window.location.replace('login.jsp');
+					}
 				},
 				error : function(jqXHR, textStatus, err ) {
 				}
@@ -71,7 +78,7 @@ define(function(require){
 			});
 		},
 		checkKnoxSSO : function(){
-			var url = 'service/plugins/checksso';
+			var that =this, url = 'service/plugins/checksso';
 			$.ajax({
 				url : url,
 				type : 'GET',
@@ -79,19 +86,13 @@ define(function(require){
 					"cache-control" : "no-cache"
 				},
 				success : function(resp) {
-					console.log(resp)
-					if(!_.isUndefined(resp) && resp){
-						window.location.replace('');
-					} else {
-						window.location.replace('login.jsp');
-					}
+					that.onLogout(resp);
 				},
 				error : function(jqXHR, textStatus, err ) {
 					if( jqXHR.status == 419 ){
 						window.location.replace('login.jsp');
 					}
 				}
-				
 			});
 		},
     	/**


Mime
View raw message