This is an automated email from the ASF dual-hosted git repository.
mehul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 896f348 RANGER-2757 : Ranger Knox SSO logout issue
896f348 is described below
commit 896f348636f7df8e64f789a8f24569720afb654b
Author: Nitin Galave <[email protected]>
AuthorDate: Wed Mar 18 18:26:47 2020 +0530
RANGER-2757 : Ranger Knox SSO logout issue
Signed-off-by: Mehul Parikh <[email protected]>
---
.../org/apache/ranger/common/RangerConstants.java | 3 +-
.../web/filter/RangerSSOAuthenticationFilter.java | 65 +++++++++++++++++++---
.../src/main/webapp/scripts/utils/XAUtils.js | 9 ++-
3 files changed, 67 insertions(+), 10 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java
b/security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java
index bb79bb8..f00ea05 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java
@@ -188,5 +188,6 @@ public class RangerConstants extends RangerCommonEnums {
ALLOW_WRITE,
ALLOW_DELETE
}
-
+ //HTTP STATUS code for authentication timeout
+ public static final int SC_AUTHENTICATION_TIMEOUT = 419;
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
index 8b56b65..6d35991 100644
---
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
+++
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
@@ -59,6 +59,7 @@ import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.biz.UserMgr;
import org.apache.ranger.common.PropertiesUtil;
+import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.security.context.RangerContextHolder;
import org.apache.ranger.security.context.RangerSecurityContext;
@@ -191,11 +192,23 @@ public class RangerSSOAuthenticationFilter implements
Filter {
// if the token is not valid
then redirect to knox sso
else {
if
(isWebUserAgent(userAgent)) {
- String ssourl
= constructLoginURL(httpRequest, xForwardedURL);
- if
(LOG.isDebugEnabled()) {
-
LOG.debug("SSO URL = " + ssourl);
+ String ssourl =
null;
+ String
ajaxRequestHeader = httpRequest.getHeader("X-Requested-With");
+ if
("XMLHttpRequest".equals(ajaxRequestHeader)) {
+ ssourl
= constructLoginURLForApi(httpRequest, xForwardedURL);
+ if
(LOG.isDebugEnabled()) {
+
LOG.debug("ajaxRequestHeader redirectUrl = " + ssourl);
+ }
+
httpServletResponse.setHeader("X-Frame-Options", "DENY");
+
httpServletResponse.setStatus(RangerConstants.SC_AUTHENTICATION_TIMEOUT);
+
httpServletResponse.setHeader("X-Rngr-Redirect-Url", ssourl);
+ } else {
+ ssourl
= constructLoginURL(httpRequest, xForwardedURL);
+ if
(LOG.isDebugEnabled()) {
+
LOG.debug("SSO URL = " + ssourl);
+ }
+
httpServletResponse.sendRedirect(ssourl);
}
-
httpServletResponse.sendRedirect(ssourl);
} else {
filterChain.doFilter(servletRequest,httpServletResponse);
}
@@ -207,11 +220,23 @@ public class RangerSSOAuthenticationFilter implements
Filter {
// if the jwt token is not available then
redirect it to knox sso
else {
if (isWebUserAgent(userAgent)) {
- String ssourl =
constructLoginURL(httpRequest, xForwardedURL);
- if (LOG.isDebugEnabled()) {
- LOG.debug("SSO URL = "
+ ssourl);
+ String ssourl = null;
+ String ajaxRequestHeader =
httpRequest.getHeader("X-Requested-With");
+ if
("XMLHttpRequest".equals(ajaxRequestHeader)) {
+ ssourl =
constructLoginURLForApi(httpRequest, xForwardedURL);
+ if
(LOG.isDebugEnabled()) {
+
LOG.debug("ajaxRequestHeader redirectUrl = " + ssourl);
+ }
+
httpServletResponse.setHeader("X-Frame-Options", "DENY");
+
httpServletResponse.setStatus(RangerConstants.SC_AUTHENTICATION_TIMEOUT);
+
httpServletResponse.setHeader("X-Rngr-Redirect-Url", ssourl);
+ } else {
+ ssourl =
constructLoginURL(httpRequest, xForwardedURL);
+ if
(LOG.isDebugEnabled()) {
+ LOG.debug("SSO
URL = " + ssourl);
+ }
+
httpServletResponse.sendRedirect(ssourl);
}
-
httpServletResponse.sendRedirect(ssourl);
} else {
filterChain.doFilter(servletRequest,httpServletResponse);
}
@@ -607,4 +632,28 @@ public class RangerSSOAuthenticationFilter implements
Filter {
}
return (RSAPublicKey) key;
}
+ /**
+ * Create the redirect URL to be used for authentication of the user
in the absence
+ * of a JWT token within the incoming request.
+ *
+ * @param request
+ * for getting the original request URL
+ * @return url to use as login url for redirect
+ */
+ protected String constructLoginURLForApi(HttpServletRequest request,
String xForwardedURL) {
+ String delimiter = "?";
+ if (authenticationProviderUrl.contains("?")) {
+ delimiter = "&";
+ }
+ String loginURL = authenticationProviderUrl + delimiter +
originalUrlQueryParam + "=";
+ if (StringUtils.trimToNull(xForwardedURL) != null) {
+ loginURL += xForwardedURL;
+ } else {
+ loginURL += request.getRequestURL();
+ }
+ if (StringUtils.isNotEmpty(request.getRequestURI()) &&
request.getRequestURI().length() > 1) {
+ loginURL = loginURL.replace(request.getRequestURI(),
"/");
+ }
+ return loginURL;
+ }
}
diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js
b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
index ab38fc9..d02e077 100644
--- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js
+++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
@@ -631,7 +631,14 @@ define(function(require) {
status : error.status
}));
} else if (error.status == 419) {
- window.location = 'login.jsp?sessionTimeout=true';
+
if(!_.isNull(error.getResponseHeader("X-Rngr-Redirect-Url"))) {
+ XAUtils.notifyError('error', 'Session Timeout')
+ setTimeout( function(){
+ window.location =
error.getResponseHeader("X-Rngr-Redirect-Url");
+ }, 4000);
+ } else {
+ window.location =
'login.jsp?sessionTimeout=true';
+ }
}
};
XAUtils.select2Focus = function(event) {
