ATLAS-1206 Atlas UI not working with IE or Chrome on Windows OS in Kerberos mode (nixonrodrigues via sumasai)
(cherry picked from commit adfdef023b3dbdf7c03b4039a814d47a50ef41e3) Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/26c14780 Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/26c14780 Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/26c14780 Branch: refs/heads/0.7-incubating Commit: 26c14780e0b2522332a1d8eb01edc0ecc925302b Parents: 6545187 Author: Suma Shivaprasad <[email protected]> Authored: Tue Oct 4 11:24:52 2016 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Dec 22 15:35:35 2016 -0800 ---------------------------------------------------------------------- release-log.txt | 1 + .../web/filters/AtlasAuthenticationFilter.java | 86 +++++++++++++++----- 2 files changed, 65 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/26c14780/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index ef5f6d9..6f6427b 100644 --- a/release-log.txt +++ b/release-log.txt @@ -30,6 +30,7 @@ ATLAS-409 Atlas will not import avro tables with schema read from a file (dosset ATLAS-379 Create sqoop and falcon metadata addons (venkatnrangan,bvellanki,sowmyaramesh via shwethags) ALL CHANGES: +ATLAS-1206 Atlas UI not working with IE or Chrome on Windows OS in Kerberos mode (nixonrodrigues via sumasai) ATLAS-1155 Errors in Eclipse when I bring in the latest code (davidrad via shwethags) ATLAS-1098 Atlas allows creation of tag with name "isa" which causes exceptions during search (apoorvnaik via shwethags) ATLAS-1142 Lineage UI Improvement (kevalbhatt via shwethags) http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/26c14780/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java index 605fe89..30200b5 100644 --- a/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java +++ b/webapp/src/main/java/org/apache/atlas/web/filters/AtlasAuthenticationFilter.java @@ -69,6 +69,8 @@ import java.net.UnknownHostException; import java.security.Principal; import java.text.SimpleDateFormat; import java.util.*; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import javax.servlet.http.Cookie; /** @@ -84,6 +86,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { private SignerSecretProvider secretProvider; public final boolean isKerberos = AuthenticationUtil.isKerberosAuthenticationEnabled(); private boolean isInitializedByTomcat; + private Set<Pattern> browserUserAgents; public AtlasAuthenticationFilter() { try { @@ -148,7 +151,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { @Override public void initializeSecretProvider(FilterConfig filterConfig) throws ServletException { - LOG.debug("AtlasAuthenticationFilter :: initializeSecretProvider "+filterConfig); + LOG.debug("AtlasAuthenticationFilter :: initializeSecretProvider " + filterConfig); secretProvider = (SignerSecretProvider) filterConfig.getServletContext(). getAttribute(AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE); if (secretProvider == null) { @@ -230,6 +233,14 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { LOG.debug(" AuthenticationFilterConfig: {}", config); + String agents = configuration.getString(AtlasCSRFPreventionFilter.BROWSER_USER_AGENT_PARAM, AtlasCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT); + + if (agents == null) { + agents = AtlasCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT; + } + + parseBrowserUserAgents(agents); + return config; } @@ -296,11 +307,16 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { try { - String authHeader = httpRequest.getHeader("Authorization"); - if (authHeader != null && authHeader.startsWith("Basic")) { - filterChain.doFilter(request, response); - } else if (isKerberos) { - doKerberosAuth(request, response, filterChainWrapper); + Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication(); + if (existingAuth == null) { + String authHeader = httpRequest.getHeader("Authorization"); + if (authHeader != null && authHeader.startsWith("Basic")) { + filterChain.doFilter(request, response); + } else if (isKerberos) { + doKerberosAuth(request, response, filterChainWrapper, filterChain); + } else { + filterChain.doFilter(request, response); + } } else { filterChain.doFilter(request, response); } @@ -327,7 +343,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { * @throws IOException thrown if an IO error occurred. * @throws ServletException thrown if a processing error occurred. */ - public void doKerberosAuth(ServletRequest request, ServletResponse response, FilterChain filterChain) + public void doKerberosAuth(ServletRequest request, ServletResponse response, FilterChain filterChainWrapper ,FilterChain filterChain ) throws IOException, ServletException { boolean unauthorizedResponse = true; int errCode = HttpServletResponse.SC_UNAUTHORIZED; @@ -389,7 +405,7 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { getCookiePath(), token.getExpires(), isHttps); } - filterChain.doFilter(httpRequest, httpResponse); + filterChainWrapper.doFilter(httpRequest, httpResponse); } } else { unauthorizedResponse = false; @@ -412,22 +428,25 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { errCode = HttpServletResponse.SC_FORBIDDEN; } if (authenticationEx == null) { // added this code for atlas error handling and fallback - boolean chk = true; - Collection<String> headerNames = httpResponse.getHeaderNames(); - for (String headerName : headerNames) { - String value = httpResponse.getHeader(headerName); - if (headerName.equalsIgnoreCase("Set-Cookie") && value.startsWith("JSESSIONID")) { - chk = false; - break; - } - } - String authHeader = httpRequest.getHeader("Authorization"); - if (authHeader == null && chk) { - filterChain.doFilter(request, response); - } else if (authHeader != null && authHeader.startsWith("Basic")) { + if (isBrowser(httpRequest.getHeader("User-Agent"))) { filterChain.doFilter(request, response); + } else { + boolean chk = true; + Collection<String> headerNames = httpResponse.getHeaderNames(); + for (String headerName : headerNames) { + String value = httpResponse.getHeader(headerName); + if (headerName.equalsIgnoreCase("Set-Cookie") && value.startsWith("JSESSIONID")) { + chk = false; + break; + } + } + String authHeader = httpRequest.getHeader("Authorization"); + if (authHeader == null && chk) { + filterChain.doFilter(request, response); + } else if (authHeader != null && authHeader.startsWith("Basic")) { + filterChain.doFilter(request, response); + } } - } else { httpResponse.sendError(errCode, authenticationEx.getMessage()); } @@ -550,4 +569,27 @@ public class AtlasAuthenticationFilter extends AuthenticationFilter { return token; } + void parseBrowserUserAgents(String userAgents) { + String[] agentsArray = userAgents.split(","); + browserUserAgents = new HashSet<Pattern>(); + for (String patternString : agentsArray) { + browserUserAgents.add(Pattern.compile(patternString)); + } + } + + boolean isBrowser(String userAgent) { + if (userAgent == null) { + return false; + } + if (browserUserAgents != null) { + for (Pattern pattern : browserUserAgents) { + Matcher matcher = pattern.matcher(userAgent); + if (matcher.matches()) { + return true; + } + } + } + return false; + } + }
