RANGER-759 : Fix Ranger Knox SSO logout/session expired issues
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/10d755ac Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/10d755ac Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/10d755ac Branch: refs/heads/tag-policy Commit: 10d755acd15d4b7a604571838559eca0e9f44150 Parents: af8377f Author: Gautam Borad <[email protected]> Authored: Wed Dec 2 14:23:10 2015 +0530 Committer: Gautam Borad <[email protected]> Committed: Thu Dec 3 09:02:08 2015 +0530 ---------------------------------------------------------------------- .../CustomLogoutSuccessHandler.java | 2 ++ .../RangerAuthenticationEntryPoint.java | 1 + .../filter/RangerSSOAuthenticationFilter.java | 33 ++++++++++++++------ .../webapp/scripts/views/common/ProfileBar.js | 25 ++++++++------- 4 files changed, 39 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java index 6a91834..237fb50 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java @@ -43,6 +43,8 @@ public class CustomLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler HttpServletResponse response, Authentication authentication) throws IOException, ServletException { + request.getServletContext().removeAttribute(request.getRequestedSessionId()); + response.setContentType("application/json;charset=UTF-8"); response.setHeader("Cache-Control", "no-cache"); response.setHeader("X-Frame-Options", "DENY"); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java index 0b61498..b3d59eb 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java @@ -133,6 +133,7 @@ public class RangerAuthenticationEntryPoint extends if(requestURL.contains(RangerSSOAuthenticationFilter.LOCAL_LOGIN_URL)){ if (request.getSession() != null) request.getSession().setAttribute("locallogin","true"); + request.getServletContext().setAttribute(request.getSession().getId(), "locallogin"); } super.commence(request, response, authException); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java index af3c58a..f79db6b 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java @@ -108,26 +108,37 @@ public class RangerSSOAuthenticationFilter implements Filter { @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)throws IOException, ServletException { + HttpServletRequest httpRequest = (HttpServletRequest)servletRequest; + if (httpRequest.getRequestedSessionId() != null && !httpRequest.isRequestedSessionIdValid()) + { + if(httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()) != null && httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()).toString().equals("locallogin")){ + ssoEnabled = false; + httpRequest.getSession().setAttribute("locallogin","true"); + httpRequest.getServletContext().removeAttribute(httpRequest.getRequestedSessionId()); + } + } + RangerSecurityContext context = RangerContextHolder.getSecurityContext(); UserSessionBase session = context != null ? context.getUserSession() : null; ssoEnabled = session != null ? session.isSSOEnabled() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false); - String userAgent = ((HttpServletRequest)servletRequest).getHeader("User-Agent"); - if(((HttpServletRequest) servletRequest).getSession() != null){ - if(((HttpServletRequest) servletRequest).getSession().getAttribute("locallogin") != null){ + String userAgent = httpRequest.getHeader("User-Agent"); + if(httpRequest.getSession() != null){ + if(httpRequest.getSession().getAttribute("locallogin") != null){ ssoEnabled = false; servletRequest.setAttribute("ssoEnabled", false); filterChain.doFilter(servletRequest, servletResponse); return; } - } + } + //If sso is enable and request is not for local login and is from browser then it will go inside and try for knox sso authentication - if (ssoEnabled && !((HttpServletRequest) servletRequest).getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent)) { + if (ssoEnabled && !httpRequest.getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent)) { //if jwt properties are loaded and is current not authenticated then it will go for sso authentication + //Note : Need to remove !isAuthenticated() after knoxsso solve the bug from cross-origin script if (jwtProperties != null && !isAuthenticated()) { - HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest; HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse; - String serializedJWT = getJWTFromCookie(httpServletRequest); + String serializedJWT = getJWTFromCookie(httpRequest); // if we get the hadoop-jwt token from the cookies then will process it further if (serializedJWT != null) { SignedJWT jwtToken = null; @@ -144,9 +155,11 @@ public class RangerSSOAuthenticationFilter implements Filter { if (userName != null && !userName.trim().isEmpty()) { final List<GrantedAuthority> grantedAuths = new ArrayList<>(); grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole)); + grantedAuths.add(new SimpleGrantedAuthority("ROLE_SYS_ADMIN")); + grantedAuths.add(new SimpleGrantedAuthority("ROLE_KEY_ADMIN")); final UserDetails principal = new User(userName, "",grantedAuths); final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths); - WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpServletRequest); + WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpRequest); ((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails); RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider(); authenticationProvider.setSsoEnabled(ssoEnabled); @@ -158,7 +171,7 @@ public class RangerSSOAuthenticationFilter implements Filter { } // if the token is not valid then redirect to knox sso else { - String ssourl = constructLoginURL(httpServletRequest); + String ssourl = constructLoginURL(httpRequest); if(LOG.isDebugEnabled()) LOG.debug("SSO URL = " + ssourl); httpServletResponse.sendRedirect(ssourl); @@ -169,7 +182,7 @@ public class RangerSSOAuthenticationFilter implements Filter { } // if the jwt token is not available then redirect it to knox sso else { - String ssourl = constructLoginURL(httpServletRequest); + String ssourl = constructLoginURL(httpRequest); if(LOG.isDebugEnabled()) LOG.debug("SSO URL = " + ssourl); httpServletResponse.sendRedirect(ssourl); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js index 0bb9648..c6301c3 100644 --- a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js +++ b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js @@ -49,10 +49,10 @@ define(function(require){ events: function() { var events = {}; //events['change ' + this.ui.input] = 'onInputChange'; - events['click ' + this.ui.logout] = 'onLogout'; + events['click ' + this.ui.logout] = 'checkKnoxSSO'; return events; }, - onLogout : function(){ + onLogout : function(checksso){ var url = 'security-admin-web/logout.html', that = this; $.ajax({ @@ -62,8 +62,15 @@ define(function(require){ "cache-control" : "no-cache" }, success : function() { - that.checkKnoxSSO() -// window.location.replace('login.jsp'); + if(!_.isUndefined(checksso) && checksso){ + if(checksso == 'false'){ + window.location.replace('locallogin'); + }else{ + window.location.replace(''); + } + } else { + window.location.replace('login.jsp'); + } }, error : function(jqXHR, textStatus, err ) { } @@ -71,7 +78,7 @@ define(function(require){ }); }, checkKnoxSSO : function(){ - var url = 'service/plugins/checksso'; + var that =this, url = 'service/plugins/checksso'; $.ajax({ url : url, type : 'GET', @@ -79,19 +86,13 @@ define(function(require){ "cache-control" : "no-cache" }, success : function(resp) { - console.log(resp) - if(!_.isUndefined(resp) && resp){ - window.location.replace(''); - } else { - window.location.replace('login.jsp'); - } + that.onLogout(resp); }, error : function(jqXHR, textStatus, err ) { if( jqXHR.status == 419 ){ window.location.replace('login.jsp'); } } - }); }, /**
