[jira] [Resolved] (KNOX-1779) Add HTTP X-XSS-Protection response header support for WebAppSec Provider

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey resolved KNOX-1779.
--
Resolution: Implemented

> Add HTTP X-XSS-Protection response header support for WebAppSec Provider
> 
>
> Key: KNOX-1779
> URL: https://issues.apache.org/jira/browse/KNOX-1779
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Affects Versions: 1.2.0
>    Reporter: Krishna Pandey
>    Assignee: Krishna Pandey
>Priority: Critical
>  Labels: security
> Fix For: 1.3.0
>
> Attachments: Screenshot 2019-02-20 at 4.24.18 PM.png
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Support to add X-XSS-Protection HTTP response header in Knox's WebAppSec 
> Provider enabling modern web browsers to detect and thwart Cross-site 
> Scripting (XSS) attacks.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Comment Edited] (KNOX-1779) Add HTTP X-XSS-Protection response header support for WebAppSec Provider

[Krishna Pandey (JIRA)]

[ 
https://issues.apache.org/jira/browse/KNOX-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772898#comment-16772898
 ] 

Krishna Pandey edited comment on KNOX-1779 at 2/20/19 11:02 AM:


[~krisden] As I started working on this issue, I realized that this header 
already exists in functionality but is missing in documentation.

We can enable this by adding below in WebAppSec provider.
{code:java}

      xss.protection.enabled
      true
{code}
 

See sample HTTP Response below with X-XSS-Protection Response Header set.

!Screenshot 2019-02-20 at 4.24.18 PM.png|height=80%,width=80%!


was (Author: kpandey):
[~krisden] As I started working on this issue, I realized that this header 
already exists in functionality but is missing in documentation.

We can enable this by adding below in WebAppSec provider.
{code:java}

      xss.protection.enabled
      true
{code}
 

See sample HTTP Response below with X-XSS-Protection Response Header set.

!Screenshot 2019-02-20 at 4.24.18 PM.png!

> Add HTTP X-XSS-Protection response header support for WebAppSec Provider
> 
>
> Key: KNOX-1779
> URL: https://issues.apache.org/jira/browse/KNOX-1779
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Affects Versions: 1.2.0
>    Reporter: Krishna Pandey
>    Assignee: Krishna Pandey
>Priority: Critical
>  Labels: security
> Fix For: 1.3.0
>
> Attachments: Screenshot 2019-02-20 at 4.24.18 PM.png
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Support to add X-XSS-Protection HTTP response header in Knox's WebAppSec 
> Provider enabling modern web browsers to detect and thwart Cross-site 
> Scripting (XSS) attacks.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (KNOX-1779) Add HTTP X-XSS-Protection response header support for WebAppSec Provider

[Krishna Pandey (JIRA)]

[ 
https://issues.apache.org/jira/browse/KNOX-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772898#comment-16772898
 ] 

Krishna Pandey commented on KNOX-1779:
--

[~krisden] As I started working on this issue, I realized that this header 
already exists in functionality but is missing in documentation.

We can enable this by adding below in WebAppSec provider.
{code:java}

      xss.protection.enabled
      true
{code}
 

See sample HTTP Response below with X-XSS-Protection Response Header set.

!Screenshot 2019-02-20 at 4.24.18 PM.png!

> Add HTTP X-XSS-Protection response header support for WebAppSec Provider
> 
>
> Key: KNOX-1779
> URL: https://issues.apache.org/jira/browse/KNOX-1779
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Affects Versions: 1.2.0
>    Reporter: Krishna Pandey
>    Assignee: Krishna Pandey
>Priority: Critical
>  Labels: security
> Fix For: 1.3.0
>
> Attachments: Screenshot 2019-02-20 at 4.24.18 PM.png
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Support to add X-XSS-Protection HTTP response header in Knox's WebAppSec 
> Provider enabling modern web browsers to detect and thwart Cross-site 
> Scripting (XSS) attacks.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (KNOX-1779) Add HTTP X-XSS-Protection response header support for WebAppSec Provider

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey updated KNOX-1779:
-
Attachment: Screenshot 2019-02-20 at 4.24.18 PM.png

> Add HTTP X-XSS-Protection response header support for WebAppSec Provider
> 
>
> Key: KNOX-1779
> URL: https://issues.apache.org/jira/browse/KNOX-1779
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Affects Versions: 1.2.0
>    Reporter: Krishna Pandey
>    Assignee: Krishna Pandey
>Priority: Critical
>  Labels: security
> Fix For: 1.3.0
>
> Attachments: Screenshot 2019-02-20 at 4.24.18 PM.png
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Support to add X-XSS-Protection HTTP response header in Knox's WebAppSec 
> Provider enabling modern web browsers to detect and thwart Cross-site 
> Scripting (XSS) attacks.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (KNOX-1779) Add HTTP X-XSS-Protection response header support for WebAppSec Provider

[Krishna Pandey (JIRA)]

[ 
https://issues.apache.org/jira/browse/KNOX-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772542#comment-16772542
 ] 

Krishna Pandey commented on KNOX-1779:
--

[~krisden] I intend to provide a patch shortly.

> Add HTTP X-XSS-Protection response header support for WebAppSec Provider
> 
>
> Key: KNOX-1779
> URL: https://issues.apache.org/jira/browse/KNOX-1779
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Affects Versions: 1.2.0
>    Reporter: Krishna Pandey
>    Assignee: Krishna Pandey
>Priority: Critical
>  Labels: security
> Fix For: 1.3.0
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Support to add X-XSS-Protection HTTP response header in Knox's WebAppSec 
> Provider enabling modern web browsers to detect and thwart Cross-site 
> Scripting (XSS) attacks.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (KNOX-1779) Add HTTP X-XSS-Protection response header support for WebAppSec Provider

[Krishna Pandey (JIRA)]

Krishna Pandey created KNOX-1779:


 Summary: Add HTTP X-XSS-Protection response header support for 
WebAppSec Provider
 Key: KNOX-1779
 URL: https://issues.apache.org/jira/browse/KNOX-1779
 Project: Apache Knox
  Issue Type: Improvement
  Components: Server
Affects Versions: 1.2.0
Reporter: Krishna Pandey
Assignee: Krishna Pandey
 Fix For: 1.3.0


Support to add X-XSS-Protection HTTP response header in Knox's WebAppSec 
Provider enabling modern web browsers to detect and thwart Cross-site Scripting 
(XSS) attacks.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: [ANNOUNCE] New committer and PMC member: Kevin Risden

[Krishna Pandey]

Congrats, Kevin!

On Tue, Apr 3, 2018 at 8:40 PM, Phil Zampino  wrote:

> Congrats!
>
> On Tue, Apr 3, 2018 at 10:39 AM, larry mccay  wrote:
>
> > The Project Management Committee (PMC) for Apache Knox
> > has invited Kevin Risden to become a committer and PMC member and
> > we are pleased to announce that he has accepted.
> >
> > Kevin has been a contributor to Apache Knox with LDAP and Solr related
> > contributions for a number of years. He has also provided tremendous
> > assistance
> > to others within the community on the dev@ and user@ lists.
> >
> > I am excited to have him on board as a committer and PMC member and look
> > forward to his continued contributions to the project and its direction.
> >
> > Being a committer enables easier contribution to the
> > project since there is no need to go via the patch
> > submission process. This should enable better productivity.
> > Being a PMC member enables assistance with the management
> > and to guide the direction of the project.
> >
>

[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective

[Krishna Pandey (JIRA)]

[ 
https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16157883#comment-16157883
 ] 

Krishna Pandey commented on KNOX-1028:
--

Thanks [~lmc...@apache.org]. I tested this locally as suggested above and it 
works like charm. I am able to see the security Headers in force. Indeed this 
is minor error in documentation nothing much.

> X-Frame-Options and other security headers are ineffective
> --
>
> Key: KNOX-1028
> URL: https://issues.apache.org/jira/browse/KNOX-1028
> Project: Apache Knox
>  Issue Type: Bug
>  Components: Site
>Affects Versions: 0.13.0, 0.14.0
>    Reporter: Krishna Pandey
>Priority: Critical
> Fix For: 0.14.0
>
> Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20 
> PM.png, with xframe.options.enabled.png
>
>
> When xframe-options.enabled param is set to true in WebAppSec provider, the 
> same is not reflecting in HTTP response header. See attached screenshot here.
>  !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!. 
> Also X-XSRF-Header param is not effective and curl calls without 
> X-XSRF-Header are also passing through. e.g.
>  
> {code:java}
> $ curl -iku admin:admin-password 
> https://localhost:8443/gateway/admin/api/v1/version
> HTTP/1.1 200 OK
> Date: Thu, 07 Sep 2017 16:57:27 GMT
> Set-Cookie: 
> JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, 
> 06-Sep-2017 16:57:27 GMT
> Content-Type: application/xml
> Content-Length: 167
> Server: Jetty(9.2.15.v20160210)
> 
> 
>0.14.0-SNAPSHOT
>6657f2fd9f52c8303fc9a2d1d72eef38be719288
> 
> {code}
> Related topology config
> {noformat}
>   
>   webappsec
>   WebAppSec
>   true
>   
>   csrf.enabled
>   true
>   
>   
>   csrf.customHeader
>   X-XSRF-Header
>   
>   
>   csrf.methodsToIgnore
>   GET,OPTIONS,HEAD
>   
>   
>   cors.enabled
>   true
>   
>   
>   xframe-options.enabled
>   true
>   
>   
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (KNOX-1028) X-Frame-Options and other security headers are ineffective

[Krishna Pandey (JIRA)]

Krishna Pandey created KNOX-1028:


 Summary: X-Frame-Options and other security headers are ineffective
 Key: KNOX-1028
 URL: https://issues.apache.org/jira/browse/KNOX-1028
 Project: Apache Knox
  Issue Type: Bug
  Components: Server
Affects Versions: 0.13.0, 0.14.0
Reporter: Krishna Pandey
Priority: Critical
 Attachments: Screen Shot 2017-09-07 at 10.31.20 PM.png

When xframe-options.enabled param is set to true in WebAppSec provider, the 
same is not reflecting in HTTP response header. See attached screenshot here 
!Screen Shot 2017-09-07 at 10.31.20 PM.png|thumbnail! . Also X-XSRF-Header 
param is not effective and curl calls without X-XSRF-Header are also passing 
through. e.g.
 
{code:java}
$ curl -iku admin:admin-password 
https://localhost:8443/gateway/admin/api/v1/version
HTTP/1.1 200 OK
Date: Thu, 07 Sep 2017 16:57:27 GMT
Set-Cookie: 
JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, 
06-Sep-2017 16:57:27 GMT
Content-Type: application/xml
Content-Length: 167
Server: Jetty(9.2.15.v20160210)



   0.14.0-SNAPSHOT
   6657f2fd9f52c8303fc9a2d1d72eef38be719288


{code}

Related topology config

{noformat}

webappsec
WebAppSec
true

csrf.enabled
true


csrf.customHeader
X-XSRF-Header


csrf.methodsToIgnore
GET,OPTIONS,HEAD


cors.enabled
true


xframe-options.enabled
true



{noformat}






--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (KNOX-1017) Add support for enabling "Strict-Transport-Security" header in Knox responses

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-1017?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey updated KNOX-1017:
-
Component/s: Server

>  Add support for enabling "Strict-Transport-Security" header in Knox 
> responses 
> ---
>
> Key: KNOX-1017
> URL: https://issues.apache.org/jira/browse/KNOX-1017
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Reporter: Latha  Appanna
>  Labels: headers
> Fix For: 0.14.0
>
>
> The HTTP Strict-Transport-Security response header is a security feature that 
> lets a web site tell browsers that it should only be communicated with using 
> HTTPS, instead of using HTTP. Possible values are:
>  
> *  max-age=
> *  max-age=; includeSubDomains
> *  max-age=; preload



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (KNOX-1017) Add support for enabling "Strict-Transport-Security" header in Knox responses

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-1017?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey updated KNOX-1017:
-
Description: 
The HTTP Strict-Transport-Security response header is a security feature that 
lets a web site tell browsers that it should only be communicated with using 
HTTPS, instead of using HTTP. Possible values are:
 
*  max-age=
*  max-age=; includeSubDomains
*  max-age=; preload

>  Add support for enabling "Strict-Transport-Security" header in Knox 
> responses 
> ---
>
> Key: KNOX-1017
> URL: https://issues.apache.org/jira/browse/KNOX-1017
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Reporter: Latha  Appanna
>  Labels: headers
> Fix For: 0.14.0
>
>
> The HTTP Strict-Transport-Security response header is a security feature that 
> lets a web site tell browsers that it should only be communicated with using 
> HTTPS, instead of using HTTP. Possible values are:
>  
> *  max-age=
> *  max-age=; includeSubDomains
> *  max-age=; preload



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (KNOX-1017) Add support for enabling "Strict-Transport-Security" header in Knox responses

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-1017?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey updated KNOX-1017:
-
Summary:  Add support for enabling "Strict-Transport-Security" header in 
Knox responses   (was:  Add support for enabling "Strict-Transport-Security" 
header in knox reponses )

>  Add support for enabling "Strict-Transport-Security" header in Knox 
> responses 
> ---
>
> Key: KNOX-1017
> URL: https://issues.apache.org/jira/browse/KNOX-1017
> Project: Apache Knox
>  Issue Type: Improvement
>Reporter: Latha  Appanna
> Fix For: 0.14.0
>
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: KIP-8 Service Discovery and Topology Generation

[Krishna Pandey]

>
> As a result, I'm wondering if Knox should support provider configuration
> references in topology.xml, rather than having to duplicate it across
> descriptors.


+1 to Phil's remark above. Adding to that as Knox provides multi-cluster
support, can we have external provider config cluster-wise? Or we can
define multiple external provider config in single "global" provider config
file and refer them with some key?

Also, when services are deployed in HA, we specify HaProvider and multiple
Service URLs in the topology. Will it make sense to use Load balancer IP
address / External URL for those services in topology instead of multiple
service URLs and using HaProvider?

Thanks,
Krishna Pandey

On Wed, Aug 30, 2017 at 10:05 PM, larry mccay <lmc...@apache.org> wrote:

> Terrific, Phil!
>
>
> On Wed, Aug 30, 2017 at 11:03 AM, Philip Zampino <pzamp...@gmail.com>
> wrote:
>
> > After giving this KIP some thought, I would like to work on it. I've
> added
> > more detail to the wiki, and I'll create a JIRA for it.
> >
> > On Fri, Aug 25, 2017 at 10:03 AM, larry mccay <lmc...@apache.org> wrote:
> >
> > > Wonderful details, Phil!
> > >
> > >
> > > On Fri, Aug 25, 2017 at 9:40 AM, Philip Zampino <pzamp...@gmail.com>
> > > wrote:
> > >
> > > > Thanks! I've added the Ambari API details to the wiki.
> > > >
> > > > On Fri, Aug 25, 2017 at 8:27 AM, larry mccay <lmc...@apache.org>
> > wrote:
> > > >
> > > > > HI Phil -
> > > > >
> > > > > Thank you for digging into this topic!
> > > > >
> > > > > I've added you as a contributor to the wiki and you should be able
> to
> > > > edit
> > > > > the KIP now.
> > > > >
> > > > > thanks,
> > > > >
> > > > > --larry
> > > > >
> > > > > On Thu, Aug 24, 2017 at 3:45 PM, Philip Zampino <
> pzamp...@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > I've put together a quick python POC targeting Ambari as the
> > > discovery
> > > > > > source, just to prove that we can indeed get the necessary
> details
> > > via
> > > > > > Ambari's REST API.
> > > > > > It generates a proper topology.xml descriptor based on a simple
> > > > > descriptor
> > > > > > (I chose YAML for this POC), which has a reference to what I've
> > > called
> > > > a
> > > > > > policy descriptor (the  portion of the topology
> > > descriptor).
> > > > > >
> > > > > > I am currently unable to update the KIP, but I can share the REST
> > > APIs
> > > > > I've
> > > > > > employed if there is interest.
> > > > > >
> > > > > > As a result, I'm wondering if Knox should support provider
> > > > configuration
> > > > > > references in topology.xml, rather than having to duplicate it
> > across
> > > > > > descriptors.
> > > > > > So, instead of ... in each
> > > topology.xml,
> > > > > have
> > > > > > a single element that points to an external provider config
> (e.g.,
> > > > > > $GATEWAY_HOME/conf/policy/my-named-provider-
> > > > > > config.xml).
> > > > > > I've already externalized it for input to the POC, but I'm still
> > > > copying
> > > > > > the contents into the resulting topology descriptor; I think it
> > would
> > > > be
> > > > > > better to copy only the reference.
> > > > > >
> > > > > > Thoughts?
> > > > > >
> > > > > >  - Phil
> > > > > >
> > > > > >
> > > > > > On Fri, Aug 18, 2017 at 1:55 PM, larry mccay <lmc...@apache.org>
> > > > wrote:
> > > > > >
> > > > > > > Good to hear, Phil.
> > > > > > >
> > > > > > > Yes, I was looking to go back and add some of the API specifics
> > and
> > > > > > > investigation details for at least Ambari and ZK.
> > > > > > > If others make sense to add such as Consul, etcd, etc that
> would
> > be
> > > > > good
> > > > > > as
> > > > > > > well 

[jira] [Updated] (KNOX-933) PicketLink Provider must set Secure and HTTPOnly flags on Cookie

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey updated KNOX-933:

Attachment: KNOX-933_master_v2.patch

> PicketLink Provider must set Secure and HTTPOnly flags on Cookie
> 
>
> Key: KNOX-933
> URL: https://issues.apache.org/jira/browse/KNOX-933
> Project: Apache Knox
>  Issue Type: Bug
>  Components: Server
>Reporter: Larry McCay
>    Assignee: Krishna Pandey
>  Labels: KIP-7
> Fix For: 0.13.0
>
> Attachments: KNOX-933_master_v1.patch, KNOX-933_master_v2.patch
>
>
> The provider creates a cookie in CaptureOriginalURLFilter.java at line 68, 
> but fails to set the HttpOnly and Secure flags to true.
> This provider is not really supported anymore and isn't even documented but 
> we should make sure that all cookies have HttpOnly and Secure flags set. We 
> should separately consider deprecating and removing this provider.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Updated] (KNOX-933) PicketLink Provider must set Secure and HTTPOnly flags on Cookie

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey updated KNOX-933:

Attachment: KNOX-933_master_v1.patch

Attaching patch.

> PicketLink Provider must set Secure and HTTPOnly flags on Cookie
> 
>
> Key: KNOX-933
> URL: https://issues.apache.org/jira/browse/KNOX-933
> Project: Apache Knox
>  Issue Type: Bug
>  Components: Server
>Reporter: Larry McCay
>  Labels: KIP-7
> Fix For: 0.13.0
>
> Attachments: KNOX-933_master_v1.patch
>
>
> The provider creates a cookie in CaptureOriginalURLFilter.java at line 68, 
> but fails to set the HttpOnly and Secure flags to true.
> This provider is not really supported anymore and isn't even documented but 
> we should make sure that all cookies have HttpOnly and Secure flags set. We 
> should separately consider deprecating and removing this provider.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Assigned] (KNOX-933) PicketLink Provider must set Secure and HTTPOnly flags on Cookie

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey reassigned KNOX-933:
---

Assignee: Krishna Pandey

> PicketLink Provider must set Secure and HTTPOnly flags on Cookie
> 
>
> Key: KNOX-933
> URL: https://issues.apache.org/jira/browse/KNOX-933
> Project: Apache Knox
>  Issue Type: Bug
>  Components: Server
>Reporter: Larry McCay
>    Assignee: Krishna Pandey
>  Labels: KIP-7
> Fix For: 0.13.0
>
> Attachments: KNOX-933_master_v1.patch
>
>
> The provider creates a cookie in CaptureOriginalURLFilter.java at line 68, 
> but fails to set the HttpOnly and Secure flags to true.
> This provider is not really supported anymore and isn't even documented but 
> we should make sure that all cookies have HttpOnly and Secure flags set. We 
> should separately consider deprecating and removing this provider.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Assigned] (KNOX-932) Option to remove the server-name from HTTP-header response

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-932?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey reassigned KNOX-932:
---

Assignee: Krishna Pandey

> Option to remove the server-name from HTTP-header response 
> ---
>
> Key: KNOX-932
> URL: https://issues.apache.org/jira/browse/KNOX-932
> Project: Apache Knox
>  Issue Type: Improvement
>Reporter: Kunal Rajguru
>        Assignee: Krishna Pandey
>  Labels: http-headers
>
> Option to remove the server name which is sent as HTTP-Header in the response 
> For example :
> curl -i -k -u : -X GET 
> 'https://localhost:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS'
> HTTP/1.1 200 OK 
> Set-Cookie: 
> JSESSIONID=fs2lu9w7jcgt1tshnfs1cqf8v;Path=/gateway/default;Secure;HttpOnly 
> Expires: Thu, 01 Jan 1970 00:00:00 GMT 
> Cache-Control: no-cache 
> Expires: Wed, 15 Mar 2017 12:49:24 GMT 
> Date: Wed, 15 Mar 2017 12:49:24 GMT 
> Pragma: no-cache 
> Expires: Wed, 15 Mar 2017 12:49:24 GMT 
> Date: Wed, 15 Mar 2017 12:49:24 GMT 
> Pragma: no-cache 
> Server: Jetty(6.1.26.hwx) 
> Content-Type: application/json 
> Content-Length: 2593



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (KNOX-932) Option to remove the server-name from HTTP-header response

[Krishna Pandey (JIRA)]

[ 
https://issues.apache.org/jira/browse/KNOX-932?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15994657#comment-15994657
 ] 

Krishna Pandey commented on KNOX-932:
-

It would be nice to have this as configurable property instead of entirely 
removing it. Removing it will cause more suspicion and push for resort to other 
fingerprinting techniques.

> Option to remove the server-name from HTTP-header response 
> ---
>
> Key: KNOX-932
> URL: https://issues.apache.org/jira/browse/KNOX-932
> Project: Apache Knox
>  Issue Type: Improvement
>Reporter: Kunal Rajguru
>  Labels: http-headers
>
> Option to remove the server name which is sent as HTTP-Header in the response 
> For example :
> curl -i -k -u : -X GET 
> 'https://localhost:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS'
> HTTP/1.1 200 OK 
> Set-Cookie: 
> JSESSIONID=fs2lu9w7jcgt1tshnfs1cqf8v;Path=/gateway/default;Secure;HttpOnly 
> Expires: Thu, 01 Jan 1970 00:00:00 GMT 
> Cache-Control: no-cache 
> Expires: Wed, 15 Mar 2017 12:49:24 GMT 
> Date: Wed, 15 Mar 2017 12:49:24 GMT 
> Pragma: no-cache 
> Expires: Wed, 15 Mar 2017 12:49:24 GMT 
> Date: Wed, 15 Mar 2017 12:49:24 GMT 
> Pragma: no-cache 
> Server: Jetty(6.1.26.hwx) 
> Content-Type: application/json 
> Content-Length: 2593



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Updated] (KNOX-925) Configurable - Encryption Algorithm and it's key size, Salt and iteration count for PBKDF

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey updated KNOX-925:

Priority: Minor  (was: Major)

> Configurable - Encryption Algorithm and it's key size, Salt and iteration 
> count for PBKDF
> -
>
> Key: KNOX-925
> URL: https://issues.apache.org/jira/browse/KNOX-925
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Affects Versions: 0.11.0
>    Reporter: Krishna Pandey
>Priority: Minor
>
> We can make key length configurable to be used with the RSA algorithm, so 
> that Users can set the value as per current cryptography guidelines.
> Also, in a password-based key derivation function, the base key is a password 
> and the other parameters are a salt value and an iteration count. An 
> iteration count has traditionally served the purpose of increasing the cost 
> of generating keys from a password. We can keep the Scheme, Salt and 
> Iteration Count configurable for Users to fine tune as per their requirements.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Created] (KNOX-925) Configurable - Encryption Algorithm and it's key size, Salt and iteration count for PBKDF

[Krishna Pandey (JIRA)]

Krishna Pandey created KNOX-925:
---

 Summary: Configurable - Encryption Algorithm and it's key size, 
Salt and iteration count for PBKDF
 Key: KNOX-925
 URL: https://issues.apache.org/jira/browse/KNOX-925
 Project: Apache Knox
  Issue Type: Improvement
  Components: Server
Affects Versions: 0.11.0
Reporter: Krishna Pandey


We can make key length configurable to be used with the RSA algorithm, so that 
Users can set the value as per current cryptography guidelines.

Also, in a password-based key derivation function, the base key is a password 
and the other parameters are a salt value and an iteration count. An iteration 
count has traditionally served the purpose of increasing the cost of generating 
keys from a password. We can keep the Scheme, Salt and Iteration Count 
configurable for Users to fine tune as per their requirements.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (KNOX-915) Adding example PAM config for Ubuntu in Knox User Guide under PAM Based Authentication section

[Krishna Pandey (JIRA)]

[ 
https://issues.apache.org/jira/browse/KNOX-915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15948465#comment-15948465
 ] 

Krishna Pandey commented on KNOX-915:
-

I've created a new patch from location 
http://svn.apache.org/repos/asf/knox/trunk/ for all three versions of User's 
Guide - 
http://knox.apache.org/books/knox-0-10-0/user-guide.html#PAM+based+Authentication,
 
http://knox.apache.org/books/knox-0-11-0/user-guide.html#PAM+based+Authentication
 and 
http://knox.apache.org/books/knox-0-12-0/user-guide.html#PAM+based+Authentication.

> Adding example PAM config for Ubuntu in Knox User Guide under PAM Based 
> Authentication section
> --
>
> Key: KNOX-915
> URL: https://issues.apache.org/jira/browse/KNOX-915
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: KnoxCLI
>Affects Versions: 0.11.0
> Environment: Ubuntu-16.04-64bit
>Reporter: Krishna Pandey
>Priority: Minor
>  Labels: documentation
> Fix For: 0.13.0
>
> Attachments: KNOX-915_v0.12.0_v1.patch, KNOX-915_v.0.12.0_v2.patch
>
>
> Current documentation covers an example of PAM configuration on OSX. It will 
> be useful if we can add at least one linux variant example to help deploy 
> Knox in Linux environment configured for PAM based authentication.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Comment Edited] (KNOX-915) Adding example PAM config for Ubuntu in Knox User Guide under PAM Based Authentication section

[Krishna Pandey (JIRA)]

[ 
https://issues.apache.org/jira/browse/KNOX-915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15948465#comment-15948465
 ] 

Krishna Pandey edited comment on KNOX-915 at 3/30/17 5:56 AM:
--

[~smore] I've created a new patch from location 
http://svn.apache.org/repos/asf/knox/trunk/ for all three versions of User's 
Guide - 
http://knox.apache.org/books/knox-0-10-0/user-guide.html#PAM+based+Authentication,
 
http://knox.apache.org/books/knox-0-11-0/user-guide.html#PAM+based+Authentication
 and 
http://knox.apache.org/books/knox-0-12-0/user-guide.html#PAM+based+Authentication.


was (Author: kpandey):
I've created a new patch from location 
http://svn.apache.org/repos/asf/knox/trunk/ for all three versions of User's 
Guide - 
http://knox.apache.org/books/knox-0-10-0/user-guide.html#PAM+based+Authentication,
 
http://knox.apache.org/books/knox-0-11-0/user-guide.html#PAM+based+Authentication
 and 
http://knox.apache.org/books/knox-0-12-0/user-guide.html#PAM+based+Authentication.

> Adding example PAM config for Ubuntu in Knox User Guide under PAM Based 
> Authentication section
> --
>
> Key: KNOX-915
> URL: https://issues.apache.org/jira/browse/KNOX-915
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: KnoxCLI
>Affects Versions: 0.11.0
> Environment: Ubuntu-16.04-64bit
>Reporter: Krishna Pandey
>Priority: Minor
>  Labels: documentation
> Fix For: 0.13.0
>
> Attachments: KNOX-915_v0.12.0_v1.patch, KNOX-915_v.0.12.0_v2.patch
>
>
> Current documentation covers an example of PAM configuration on OSX. It will 
> be useful if we can add at least one linux variant example to help deploy 
> Knox in Linux environment configured for PAM based authentication.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Updated] (KNOX-915) Adding example PAM config for Ubuntu in Knox User Guide under PAM Based Authentication section

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey updated KNOX-915:

Attachment: KNOX-915_v.0.12.0_v2.patch

> Adding example PAM config for Ubuntu in Knox User Guide under PAM Based 
> Authentication section
> --
>
> Key: KNOX-915
> URL: https://issues.apache.org/jira/browse/KNOX-915
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: KnoxCLI
>Affects Versions: 0.11.0
> Environment: Ubuntu-16.04-64bit
>Reporter: Krishna Pandey
>Priority: Minor
>  Labels: documentation
> Fix For: 0.13.0
>
> Attachments: KNOX-915_v0.12.0_v1.patch, KNOX-915_v.0.12.0_v2.patch
>
>
> Current documentation covers an example of PAM configuration on OSX. It will 
> be useful if we can add at least one linux variant example to help deploy 
> Knox in Linux environment configured for PAM based authentication.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Updated] (KNOX-915) Adding example PAM config for Ubuntu in Knox User Guide under PAM Based Authentication section

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey updated KNOX-915:

Attachment: KNOX-915_v0.12.0_v1.patch

> Adding example PAM config for Ubuntu in Knox User Guide under PAM Based 
> Authentication section
> --
>
> Key: KNOX-915
> URL: https://issues.apache.org/jira/browse/KNOX-915
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: KnoxCLI
>Affects Versions: 0.11.0
> Environment: Ubuntu-16.04-64bit
>Reporter: Krishna Pandey
>Priority: Minor
>  Labels: documentation
> Attachments: KNOX-915_v0.12.0_v1.patch
>
>
> Current documentation covers an example of PAM configuration on OSX. It will 
> be useful if we can add at least one linux variant example to help deploy 
> Knox in Linux environment configured for PAM based authentication.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Updated] (KNOX-915) Adding example PAM config for Ubuntu in Knox User Guide under PAM Based Authentication section

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey updated KNOX-915:

Status: Patch Available  (was: Open)

We need to have below entries in /etc/pam.d/login file in Ubuntu 16.04 system. 
Default entries in fresh-installed system was not working for me. This should 
also work for other versions of Ubuntu as well.

{noformat}
#%PAM-1.0

auth   required pam_sepermit.so
# pam_selinux.so close should be the first session rule
sessionrequired pam_selinux.so close
sessionrequired pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the 
user context
sessionrequired pam_selinux.so open env_params
sessionoptional pam_keyinit.so force revoke

sessionrequired pam_env.so user_readenv=1 envfile=/etc/default/locale
@include password-auth

{noformat}

> Adding example PAM config for Ubuntu in Knox User Guide under PAM Based 
> Authentication section
> --
>
> Key: KNOX-915
> URL: https://issues.apache.org/jira/browse/KNOX-915
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: KnoxCLI
>Affects Versions: 0.11.0
> Environment: Ubuntu-16.04-64bit
>Reporter: Krishna Pandey
>Priority: Minor
>  Labels: documentation
>
> Current documentation covers an example of PAM configuration on OSX. It will 
> be useful if we can add at least one linux variant example to help deploy 
> Knox in Linux environment configured for PAM based authentication.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Created] (KNOX-915) Adding example PAM config for Ubuntu in Knox User Guide under PAM Based Authentication section

[Krishna Pandey (JIRA)]

Krishna Pandey created KNOX-915:
---

 Summary: Adding example PAM config for Ubuntu in Knox User Guide 
under PAM Based Authentication section
 Key: KNOX-915
 URL: https://issues.apache.org/jira/browse/KNOX-915
 Project: Apache Knox
  Issue Type: Improvement
  Components: KnoxCLI
Affects Versions: 0.11.0
 Environment: Ubuntu-16.04-64bit
Reporter: Krishna Pandey
Priority: Minor


Current documentation covers an example of PAM configuration on OSX. It will be 
useful if we can add at least one linux variant example to help deploy Knox in 
Linux environment configured for PAM based authentication.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Created] (KNOX-722) Null Pointer Exception while accessing Services via Knox SSO configured for OKTA

[Krishna Pandey (JIRA)]

Krishna Pandey created KNOX-722:
---

 Summary: Null Pointer Exception while accessing Services via Knox 
SSO configured for OKTA
 Key: KNOX-722
 URL: https://issues.apache.org/jira/browse/KNOX-722
 Project: Apache Knox
  Issue Type: Bug
  Components: Server
Affects Versions: 0.9.0
 Environment: All
Reporter: Krishna Pandey
Priority: Critical


When trying to access services e.g. Ranger using Knox Single Sign-On configured 
for Okta, we are getting HTTP 500 Error. Error is caused due to Null Pointer 
Exception which can be seen in gateway.log, relevant log below:

{noformat}
2016-07-12 21:24:11,131 ERROR hadoop.gateway 
(AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter: 
java.lang.NullPointerException
2016-07-12 21:24:11,132 ERROR hadoop.gateway (GatewayFilter.java:doFilter(145)) 
- Gateway processing failed: javax.servlet.ServletException: 
java.lang.NullPointerException
javax.servlet.ServletException: java.lang.NullPointerException
at 
org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:70)
at 
org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:332)
at 
org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:232)
at 
org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilter.java:139)
at 
org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilter.java:91)
at 
org.apache.hadoop.gateway.GatewayServlet.service(GatewayServlet.java:138)
at 
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at 
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at 
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at 
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at 
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at 
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at 
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at 
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at 
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at 
org.apache.hadoop.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at 
org.apache.hadoop.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:39)
at 
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at 
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at 
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at 
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at 
org.apache.hadoop.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:209)
at 
org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:332)
at 
org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:232)
at 
org.apache.hadoop.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30)
{noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (KNOX-718) redirecting back after authentication, not valid according to the configured whitelist

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-718?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey updated KNOX-718:

Description: 
User does not get any warning for rejection due to whitelist when logging 
through KnoxSSO form based authentication. Refer logs below from gateway.log

"2016-06-21 18:26:02,074 WARN  service.knoxsso (WebSSOResource.java:init(89)) - 
The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure.
2016-06-21 18:26:02,076 INFO  service.knoxsso 
(WebSSOResource.java:getCookieValue(265)) - Unable to find cookie with name: 
original-url
2016-06-21 18:26:02,077 ERROR service.knoxsso 
(WebSSOResource.java:getAuthenticationToken(159)) - The original URL: 
http://:6080/ for redirecting back after authentication is not 
valid according to the configured whitelist: 
^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$. See 
documentation for KnoxSSO Whitelisting."

  was:
User does not get any warning for rejection due to whitelist when logging 
through KnoxSSO form based authentication. Refer logs below from gateway.log

"2016-06-21 18:26:02,074 WARN  service.knoxsso (WebSSOResource.java:init(89)) - 
The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure.
2016-06-21 18:26:02,076 INFO  service.knoxsso 
(WebSSOResource.java:getCookieValue(265)) - Unable to find cookie with name: 
original-url
2016-06-21 18:26:02,077 ERROR service.knoxsso 
(WebSSOResource.java:getAuthenticationToken(159)) - The original URL: 
http://os-d7-larry-knox-bug59465-5.openstacklocal.com:6080/ for redirecting 
back after authentication is not valid according to the configured whitelist: 
^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$. See 
documentation for KnoxSSO Whitelisting."


> redirecting back after authentication, not valid according to the configured 
> whitelist
> --
>
> Key: KNOX-718
> URL: https://issues.apache.org/jira/browse/KNOX-718
> Project: Apache Knox
>  Issue Type: Bug
>  Components: Server
>Reporter: Krishna Pandey
> Fix For: 0.10.0
>
>
> User does not get any warning for rejection due to whitelist when logging 
> through KnoxSSO form based authentication. Refer logs below from gateway.log
> "2016-06-21 18:26:02,074 WARN  service.knoxsso (WebSSOResource.java:init(89)) 
> - The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure.
> 2016-06-21 18:26:02,076 INFO  service.knoxsso 
> (WebSSOResource.java:getCookieValue(265)) - Unable to find cookie with name: 
> original-url
> 2016-06-21 18:26:02,077 ERROR service.knoxsso 
> (WebSSOResource.java:getAuthenticationToken(159)) - The original URL: 
> http://:6080/ for redirecting back after authentication is not 
> valid according to the configured whitelist: 
> ^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$. See 
> documentation for KnoxSSO Whitelisting."



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (KNOX-718) redirecting back after authentication, not valid according to the configured whitelist

[Krishna Pandey (JIRA)]

 [ 
https://issues.apache.org/jira/browse/KNOX-718?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Krishna Pandey updated KNOX-718:

Summary: redirecting back after authentication, not valid according to the 
configured whitelist  (was: redirecting back after authentication is not valid 
according to the configured whitelist)

> redirecting back after authentication, not valid according to the configured 
> whitelist
> --
>
> Key: KNOX-718
> URL: https://issues.apache.org/jira/browse/KNOX-718
> Project: Apache Knox
>  Issue Type: Bug
>  Components: Server
>    Reporter: Krishna Pandey
> Fix For: 0.10.0
>
>
> User does not get any warning for rejection due to whitelist when logging 
> through KnoxSSO form based authentication. Refer logs below from gateway.log
> "2016-06-21 18:26:02,074 WARN  service.knoxsso (WebSSOResource.java:init(89)) 
> - The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure.
> 2016-06-21 18:26:02,076 INFO  service.knoxsso 
> (WebSSOResource.java:getCookieValue(265)) - Unable to find cookie with name: 
> original-url
> 2016-06-21 18:26:02,077 ERROR service.knoxsso 
> (WebSSOResource.java:getAuthenticationToken(159)) - The original URL: 
> http://os-d7-larry-knox-bug59465-5.openstacklocal.com:6080/ for redirecting 
> back after authentication is not valid according to the configured whitelist: 
> ^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$. See 
> documentation for KnoxSSO Whitelisting."



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)