[jira] [Work logged] (KNOX-2806) Implement a new DoS security provider

Thu, 22 Sep 2022 08:55:05 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-2806?focusedWorklogId=811294&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-811294
 ]

ASF GitHub Bot logged work on KNOX-2806:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 22/Sep/22 15:54
            Start Date: 22/Sep/22 15:54
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on code in PR #634:
URL: https://github.com/apache/knox/pull/634#discussion_r977826461


##########
gateway-provider-security-dos/pom.xml:
##########
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0";
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
http://maven.apache.org/xsd/maven-4.0.0.xsd";>
+    <modelVersion>4.0.0</modelVersion>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.knox</groupId>
+            <artifactId>gateway-spi</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-servlets</artifactId>
+        </dependency>
+    </dependencies>
+    <parent>

Review Comment:
   Parent should be the first element which should be followed by the new 
module's artifact ID. After these elements, we should list the depepndencies.



##########
gateway-provider-security-dos/src/main/java/org/apache/knox/gateway/deploy/impl/DosFilterDeploymentContributor.java:
##########
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.deploy.impl;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Service;
+
+public class DosFilterDeploymentContributor extends 
ProviderDeploymentContributorBase {
+  private static final String JETTY_DOS_FILTER_CLASSNAME = 
"org.eclipse.jetty.servlets.DoSFilter";
+
+  @Override
+  public String getRole() {
+    return "dos";

Review Comment:
   Make this one a constant.



##########
pom.xml:
##########
@@ -148,6 +148,7 @@
         <module>knox-homepage-ui</module>
         <module>gateway-openapi-ui</module>
         <module>knox-token-management-ui</module>
+        <module>gateway-provider-security-dos</module>

Review Comment:
   Please put it under the already existing `gateway-provider-security-XXX` 
modules.



##########
gateway-provider-security-dos/src/main/java/org/apache/knox/gateway/deploy/impl/DosFilterDeploymentContributor.java:
##########
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.deploy.impl;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.knox.gateway.deploy.DeploymentContext;
+import org.apache.knox.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.knox.gateway.descriptor.FilterParamDescriptor;
+import org.apache.knox.gateway.descriptor.ResourceDescriptor;
+import org.apache.knox.gateway.topology.Provider;
+import org.apache.knox.gateway.topology.Service;
+
+public class DosFilterDeploymentContributor extends 
ProviderDeploymentContributorBase {
+  private static final String JETTY_DOS_FILTER_CLASSNAME = 
"org.eclipse.jetty.servlets.DoSFilter";
+
+  @Override
+  public String getRole() {
+    return "dos";
+  }
+
+  @Override
+  public String getName() {
+    return "JettyDoS";

Review Comment:
   Make this one a constant.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 811294)
    Time Spent: 0.5h  (was: 20m)

> Implement a new DoS security provider
> -------------------------------------
>
>                 Key: KNOX-2806
>                 URL: https://issues.apache.org/jira/browse/KNOX-2806
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 2.0.0
>            Reporter: Sandor Molnar
>            Assignee: Balazs Marton
>            Priority: Major
>             Fix For: 2.0.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> There is a need to implement a mechanism that prevents Knox from being 
> attacked using DoS (Denial of Service).
> One elegant way is to reuse Jetty's own DoS filter in a way such that it can 
> be configured as a new security provider:
>  * Maven project name: {{gateway-provider-security-dos}}
>  * Provider role: {{dos}}
>  * Provider name: {{JettyDoS}}
> In case someone wants to use this new feature, the new provider declaration 
> has to be added to the top of the providers (it must be documented). When 
> this provider is present in the topology, Jetty's DosFilter has to be 
> contributed to the filter chain. That is, a new 
> {{ProviderDeploymentContributor}} should be implemented that inserts the 
> {{org.eclipse.jetty.servlets.DoSFilter}} into each resource that is available 
> in the topology.
> References:
>  * [https://www.eclipse.org/jetty/documentation/jetty-9/index.html#dos-filter]
>  * 
> [https://archive.eclipse.org/jetty/9.0.0.RC0/apidocs/org/eclipse/jetty/servlets/DoSFilter.html]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to