Repository: ranger Updated Branches: refs/heads/master 7985dd473 -> eed9eb2b5
RANGER-1822 - Remove ssoEnabled accessors in RangerSSOAuthenticationFilter Signed-off-by: Colm O hEigeartaigh <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/eed9eb2b Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/eed9eb2b Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/eed9eb2b Branch: refs/heads/master Commit: eed9eb2b5cb19756cab3b9085f930634c7d9dcd5 Parents: 7985dd4 Author: Colm O hEigeartaigh <[email protected]> Authored: Mon Oct 2 15:09:22 2017 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Oct 11 09:39:17 2017 +0100 ---------------------------------------------------------------------- .../filter/RangerSSOAuthenticationFilter.java | 57 +++++++------------- 1 file changed, 20 insertions(+), 37 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/eed9eb2b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java index 481fe8e..7cfe0be 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java @@ -73,7 +73,7 @@ public class RangerSSOAuthenticationFilter implements Filter { public static final String BROWSER_USERAGENT = "ranger.sso.browser.useragent"; public static final String JWT_AUTH_PROVIDER_URL = "ranger.sso.providerurl"; - public static final String JWT_PUBLIC_KEY = "ranger.sso.publicKey"; + public static final String JWT_PUBLIC_KEY = "ranger.sso.publicKey"; public static final String JWT_COOKIE_NAME = "ranger.sso.cookiename"; public static final String JWT_ORIGINAL_URL_QUERY_PARAM = "ranger.sso.query.param.originalurl"; public static final String JWT_COOKIE_NAME_DEFAULT = "hadoop-jwt"; @@ -88,11 +88,10 @@ public class RangerSSOAuthenticationFilter implements Filter { private String authenticationProviderUrl = null; private RSAPublicKey publicKey = null; private String cookieName = "hadoop-jwt"; - private boolean ssoEnabled = false; - + @Autowired UserMgr userMgr; - + @Inject public RangerSSOAuthenticationFilter(){ jwtProperties = getJwtProperties(); @@ -100,7 +99,7 @@ public class RangerSSOAuthenticationFilter implements Filter { } public RangerSSOAuthenticationFilter( - SSOAuthenticationProperties jwtProperties){ + SSOAuthenticationProperties jwtProperties){ this.jwtProperties = jwtProperties; loadJwtProperties(); } @@ -117,7 +116,7 @@ public class RangerSSOAuthenticationFilter implements Filter { */ @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)throws IOException, ServletException { - + HttpServletRequest httpRequest = (HttpServletRequest)servletRequest; String xForwardedURL = constructForwardableURL(httpRequest); @@ -125,26 +124,24 @@ public class RangerSSOAuthenticationFilter implements Filter { if (httpRequest.getRequestedSessionId() != null && !httpRequest.isRequestedSessionIdValid()){ synchronized(httpRequest.getServletContext()){ if(httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()) != null && "locallogin".equals(httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()).toString())){ - ssoEnabled = false; httpRequest.getSession().setAttribute("locallogin","true"); httpRequest.getServletContext().removeAttribute(httpRequest.getRequestedSessionId()); } } } - + RangerSecurityContext context = RangerContextHolder.getSecurityContext(); UserSessionBase session = context != null ? context.getUserSession() : null; - ssoEnabled = session != null ? session.isSSOEnabled() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false); - + boolean ssoEnabled = session != null ? session.isSSOEnabled() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false); + String userAgent = httpRequest.getHeader("User-Agent"); if(httpRequest.getSession() != null){ if(httpRequest.getSession().getAttribute("locallogin") != null){ - ssoEnabled = false; servletRequest.setAttribute("ssoEnabled", false); filterChain.doFilter(servletRequest, servletResponse); return; } - } + } //If sso is enable and request is not for local login and is from browser then it will go inside and try for knox sso authentication if (ssoEnabled && !httpRequest.getRequestURI().contains(LOCAL_LOGIN_URL)) { //if jwt properties are loaded and is current not authenticated then it will go for sso authentication @@ -162,7 +159,7 @@ public class RangerSSOAuthenticationFilter implements Filter { if (valid) { String userName = jwtToken.getJWTClaimsSet().getSubject(); LOG.info("SSO login user : "+userName); - + String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER"); //if we get the userName from the token then log into ranger using the same user if (userName != null && !userName.trim().isEmpty()) { @@ -178,7 +175,7 @@ public class RangerSSOAuthenticationFilter implements Filter { authentication = getGrantedAuthority(authentication); SecurityContextHolder.getContext().setAuthentication(authentication); } - + filterChain.doFilter(servletRequest,httpServletResponse); } // if the token is not valid then redirect to knox sso @@ -217,14 +214,14 @@ public class RangerSSOAuthenticationFilter implements Filter { } else if(ssoEnabled && ((HttpServletRequest) servletRequest).getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent) && isAuthenticated()){ //If already there's an active session with sso and user want's to switch to local login(i.e without sso) then it won't be navigated to local login // In this scenario the user as to use separate browser - String url = ((HttpServletRequest) servletRequest).getRequestURI().replace(LOCAL_LOGIN_URL+"/", ""); + String url = ((HttpServletRequest) servletRequest).getRequestURI().replace(LOCAL_LOGIN_URL+"/", ""); url = url.replace(LOCAL_LOGIN_URL, ""); LOG.warn("There is an active session and if you want local login to ranger, try this on a separate browser"); ((HttpServletResponse)servletResponse).sendRedirect(url); } //if sso is not enable or the request is not from browser then proceed further with next filter else { - filterChain.doFilter(servletRequest, servletResponse); + filterChain.doFilter(servletRequest, servletResponse); } } @@ -232,10 +229,10 @@ public class RangerSSOAuthenticationFilter implements Filter { String xForwardedProto = ""; String xForwardedHost = ""; String xForwardedContext = ""; - Enumeration<String> names = httpRequest.getHeaderNames(); + Enumeration<?> names = httpRequest.getHeaderNames(); while (names.hasMoreElements()) { String name = (String) names.nextElement(); - Enumeration<String> values = httpRequest.getHeaders(name); + Enumeration<?> values = httpRequest.getHeaders(name); String value = ""; if (values != null) { while (values.hasMoreElements()) { @@ -273,7 +270,7 @@ public class RangerSSOAuthenticationFilter implements Filter { } return authentication; } - + private List<GrantedAuthority> getAuthorities(String username) { Collection<String> roleList=userMgr.getRolesByLoginId(username); final List<GrantedAuthority> grantedAuths = new ArrayList<>(); @@ -296,27 +293,13 @@ public class RangerSSOAuthenticationFilter implements Filter { } } } - return isWeb; - } - - /** - * @return the ssoEnabled - */ - public boolean isSsoEnabled() { - return ssoEnabled; - } - - /** - * @param ssoEnabled the ssoEnabled to set - */ - public void setSsoEnabled(boolean ssoEnabled) { - this.ssoEnabled = ssoEnabled; + return isWeb; } private void loadJwtProperties() { if (jwtProperties != null) { authenticationProviderUrl = jwtProperties.getAuthenticationProviderUrl(); - publicKey = jwtProperties.getPublicKey(); + publicKey = jwtProperties.getPublicKey(); cookieName = jwtProperties.getCookieName(); originalUrlQueryParam = jwtProperties.getOriginalUrlQueryParam(); } @@ -397,7 +380,7 @@ public class RangerSSOAuthenticationFilter implements Filter { */ protected boolean validateToken(SignedJWT jwtToken) { boolean sigValid = validateSignature(jwtToken); - if (!sigValid) { + if (!sigValid) { LOG.warn("Signature of JWT token could not be verified. Please check the public key"); } boolean expValid = validateExpiration(jwtToken); @@ -507,7 +490,7 @@ public class RangerSSOAuthenticationFilter implements Filter { LOG.error("Unable to parse public certificate file. JWT auth will be disabled.",e); } catch (ServletException e) { LOG.error("ServletException while processing the properties",e); - } + } return jwtProperties; } else { return null;
