Repository: knox Updated Branches: refs/heads/master d0726a227 -> 8c1c94b9e
KNOX-933 - PicketLink Provider must set Secure and HTTPOnly flags on Cookie (Krishna Pandey via lmccay) Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/8c1c94b9 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/8c1c94b9 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/8c1c94b9 Branch: refs/heads/master Commit: 8c1c94b9e81d5a624075448be75702ffa08e40c5 Parents: d0726a2 Author: Larry McCay <[email protected]> Authored: Sat May 20 13:37:07 2017 -0400 Committer: Larry McCay <[email protected]> Committed: Sat May 20 13:37:07 2017 -0400 ---------------------------------------------------------------------- .../gateway/picketlink/PicketlinkMessages.java | 3 +++ .../filter/CaptureOriginalURLFilter.java | 19 +++++++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/8c1c94b9/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java index d60d5b3..c49030f 100644 --- a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java +++ b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/PicketlinkMessages.java @@ -31,6 +31,9 @@ public interface PicketlinkMessages { @Message( level = MessageLevel.DEBUG, text = "setting cookie for original-url") public void settingCookieForOriginalURL(); + @Message( level = MessageLevel.DEBUG, text = "Secure Flag is set to False for cookie") + public void secureFlagFalseForCookie(); + @Message( level = MessageLevel.ERROR, text = "Unable to get the gateway identity passphrase: {0}") public void unableToGetGatewayIdentityPassphrase(@StackTrace( level = MessageLevel.DEBUG) Exception e); http://git-wip-us.apache.org/repos/asf/knox/blob/8c1c94b9/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java index 540a81a..66da6c4 100644 --- a/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java +++ b/gateway-provider-security-picketlink/src/main/java/org/apache/hadoop/gateway/picketlink/filter/CaptureOriginalURLFilter.java @@ -34,8 +34,10 @@ import java.io.IOException; public class CaptureOriginalURLFilter implements Filter { private static PicketlinkMessages log = MessagesFactory.get( PicketlinkMessages.class ); - private static final String COOKIE_PATH = "cookie.path"; + private static final String COOKIE_PATH = "cookie.path"; + private static final String COOKIE_SECURE = "cookie.secure"; private String cookiePath = null; + private String cookieSecure = null; @Override public void init( FilterConfig filterConfig ) throws ServletException { @@ -43,6 +45,10 @@ public class CaptureOriginalURLFilter implements Filter { if (cookiePath == null) { cookiePath = "/gateway/idp/knoxsso/api/v1/websso"; } + cookieSecure = filterConfig.getInitParameter(COOKIE_SECURE); + if (cookieSecure == null) { + cookieSecure = "true"; + } } @Override @@ -63,10 +69,19 @@ public class CaptureOriginalURLFilter implements Filter { public void destroy() { } - + private void addCookie(ServletResponse servletResponse, String original) { Cookie c = new Cookie("original-url", original); c.setPath(cookiePath); + c.setHttpOnly(true); + boolean secureOnly = true; + if (cookieSecure != null) { + secureOnly = ("false".equals(cookieSecure) ? false : true); + if (!secureOnly) { + log.secureFlagFalseForCookie(); + } + } + c.setSecure(secureOnly); c.setMaxAge(60); ((HttpServletResponse)servletResponse).addCookie(c); }
