[jira] [Commented] (KNOX-2804) HadoopXmlResource parser should handle unescaped XML entries

[Sandor Molnar (Jira)]

    [ 
https://issues.apache.org/jira/browse/KNOX-2804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17602256#comment-17602256
 ] 

Sandor Molnar commented on KNOX-2804:
-------------------------------------

The following JSON was used to reproduce this issue:
{noformat}
{
  "providers" : [ {
    "role" : "webappsec",
    "name" : "WebAppSec",
    "enabled" : true,
    "params" : {
      "xframe.options.enabled" : "true"
    }
  }, {
    "role" : "authentication",
    "name" : "ShiroProvider",
    "enabled" : true,
    "params" : {
      "main.ldapContextFactory" : 
"org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory",
      "main.ldapRealm" : "org.apache.knox.gateway.shirorealm.KnoxLdapRealm",
      "main.ldapRealm.authenticationCachingEnabled" : "false",
      "main.ldapRealm.contextFactory" : "$ldapContextFactory",
      "main.ldapRealm.contextFactory.authenticationMechanism" : "simple",
      "main.ldapRealm.contextFactory.url" : "ldap://localhost:33389";,
      "main.ldapRealm.userDnTemplate" : 
"uid=0ou=people,dc=hadoop,dc=apache,dc=org",
      "main.ldapRealm.userSearchFilter" : 
"(&(&(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))",
      "redirectToUrl" : "/${GATEWAY_PATH}/knoxsso/knoxauth/login.html",
      "restrictedCookies" : "rememberme,WWW-Authenticate",
      "sessionTimeout" : "30",
      "urls./**" : "authcBasic"
    }
  }, {
    "role" : "identity-assertion",
    "name" : "Default",
    "enabled" : true,
    "params" : { }
  } ],
  "readOnly" : true
} {noformat}
I saved this as a shared provider config and created a descriptor that 
referenced that provider. I experienced the same issue.

> HadoopXmlResource parser should handle unescaped XML entries
> ------------------------------------------------------------
>
>                 Key: KNOX-2804
>                 URL: https://issues.apache.org/jira/browse/KNOX-2804
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 1.6.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 2.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Based on end-user feedback: they specified the following LDAP realm property
> {noformat}
> authentication.param.main.ldapRealm.userSearchFilter=(&(&(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-ali-bda-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=dm,DC=dm,DC=int)(memberOf=CN=SecXX-ali-bda-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=dm,DC=dm,DC=int)))
>  {noformat}
> in their application and this resulted in an error in Knox:
> {noformat}
> 2022-09-09 11:27:53,199  ERROR digester3.Digester (Digester.java:parse(1652)) 
> - An error occurred while parsing XML from '(already loaded from stream)', 
> see nested exceptions
> org.xml.sax.SAXParseException: The entity name must immediately follow the 
> '&' in the entity reference.
>       at 
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1239)
>  ~[?:1.8.0_282]
>       at 
> com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
>  ~[?:1.8.0_282]
>       at org.apache.commons.digester3.Digester.parse(Digester.java:1642) 
> [commons-digester3-3.2.jar:3.2]
>       at org.apache.commons.digester3.Digester.parse(Digester.java:1701) 
> [commons-digester3-3.2.jar:3.2]
>       at 
> org.apache.knox.gateway.util.TopologyUtils.parse(TopologyUtils.java:50) 
> [gateway-server-2.0.0-SNAPSHOT.jar:2.0.0-SNAPSHOT]
>       at 
> org.apache.knox.gateway.services.topology.impl.DefaultTopologyService.parse(DefaultTopologyService.java:154)
>  [gateway-server-2.0.0-SNAPSHOT.jar:2.0.0-SNAPSHOT]
>       at 
> org.apache.knox.gateway.topology.simple.SimpleDescriptorHandler.shouldPersistGeneratedTopology(SimpleDescriptorHandler.java:669)
>  [gateway-topology-simple-2.0.0-SNAPSHOT.jar:2.0.0-SNAPSHOT]
>       at 
> org.apache.knox.gateway.topology.simple.SimpleDescriptorHandler.generateTopology(SimpleDescriptorHandler.java:614)
>  [gateway-topology-simple-2.0.0-SNAPSHOT.jar:2.0.0-SNAPSHOT]
>       at 
> org.apache.knox.gateway.topology.simple.SimpleDescriptorHandler.handle(SimpleDescriptorHandler.java:193)
>  [gateway-topology-simple-2.0.0-SNAPSHOT.jar:2.0.0-SNAPSHOT]
>       at 
> org.apache.knox.gateway.topology.simple.SimpleDescriptorHandler.handle(SimpleDescriptorHandler.java:96)
>  [gateway-topology-simple-2.0.0-SNAPSHOT.jar:2.0.0-SNAPSHOT]
>       at 
> org.apache.knox.gateway.services.topology.monitor.DescriptorsMonitor.onFileChange(DescriptorsMonitor.java:97)
>  [gateway-server-2.0.0-SNAPSHOT.jar:2.0.0-SNAPSHOT]
>       at 
> org.apache.knox.gateway.services.topology.impl.DefaultTopologyService.triggerDescriptorDiscovery(DefaultTopologyService.java:566)
>  [gateway-server-2.0.0-SNAPSHOT.jar:2.0.0-SNAPSHOT]
>       at 
> org.apache.knox.gateway.services.topology.impl.DefaultTopologyService.startMonitor(DefaultTopologyService.java:561)
>  [gateway-server-2.0.0-SNAPSHOT.jar:2.0.0-SNAPSHOT]
>       at org.apache.knox.gateway.GatewayServer.start(GatewayServer.java:698) 
> [gateway-server-2.0.0-SNAPSHOT.jar:2.0.0-SNAPSHOT]
>       at 
> org.apache.knox.gateway.GatewayServer.startGateway(GatewayServer.java:360) 
> [gateway-server-2.0.0-SNAPSHOT.jar:2.0.0-SNAPSHOT]
>       at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:176) 
> [gateway-server-2.0.0-SNAPSHOT.jar:2.0.0-SNAPSHOT]
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
> ~[?:1.8.0_282]
>       at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
> ~[?:1.8.0_282]
>       at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  ~[?:1.8.0_282]
>       at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_282]
>       at 
> org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68) 
> [gateway.jar:?]
>       at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39) 
> [gateway.jar:?]
>       at org.apache.knox.gateway.launcher.Command.run(Command.java:99) 
> [gateway.jar:?]
>       at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75) 
> [gateway.jar:?]
>       at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52) 
> [gateway.jar:?]
> 2022-09-09 11:27:53,199  ERROR topology.simple 
> (SimpleDescriptorHandler.java:shouldPersistGeneratedTopology(674)) - Error 
> comparing the generated XXX topology with the existing version: 
> org.xml.sax.SAXParseException; lineNumber: 31; columnNumber: 26; The entity 
> name must immediately follow the '&' in the entity reference. {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)