-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KNOX-2961 - Knox SSO cookie Invalidation - Phase I #797
Conversation
4b17ffa
to
2865226
Compare
800bb03
to
8f3f220
Compare
|
||
private final Set<SessionInvalidator> sessionInvalidators = new HashSet<>(); | ||
|
||
public void registerSessionInvalidator(SessionInvalidator sessionInvalidator) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens after a topology undeployent? Do we need to unregister the previously registered invalidator?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm...that's a good question. I'd believe the previously registered one will be destroyed by Jetty, but it's worth a try to see if this really happens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
SessionInvalidators.KNOX_SSO_INVALIDATOR.getSessionInvalidators().forEach(sessionInvalidator -> { | ||
sessionInvalidator.onAuthenticationError(request, response); | ||
}); | ||
final boolean doGlobalLogout = request.getAttribute("doGlobalLogout") == null ? false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
doGlobalLogout
should be a constant, it is used in Pac4jDispatcherFilter
too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
if (!disabledKnoxSsoCookies.isEmpty()) { | ||
log.removingDisabledKnoxSsoCookiesFromDatabase(disabledKnoxSsoCookies.size(), | ||
String.join(", ", disabledKnoxSsoCookies.stream().map(tokenId -> Tokens.getTokenIDDisplayText(tokenId)).collect(Collectors.toSet()))); | ||
for (String tokenId : disabledKnoxSsoCookies) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How many tokens do we expect to have normally? If it's a lot then maybe having a dedicated sql delete statement would be better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good argument. I also had the same idea but I wanted to have the PR out ASAP so that you guys can review it. Let me submit a new PS with the updated DELETE
statement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
...rver/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
Outdated
Show resolved
Hide resolved
...rver/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenStateService.java
Outdated
Show resolved
Hide resolved
...-server/src/main/java/org/apache/knox/gateway/services/token/impl/JDBCTokenStateService.java
Outdated
Show resolved
Hide resolved
...way-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateDatabase.java
Outdated
Show resolved
Hide resolved
...ver/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateServiceMessages.java
Show resolved
Hide resolved
gateway-spi/src/main/java/org/apache/knox/gateway/session/SessionInvalidator.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…#797) Change-Id: I67a65224dfac4178e5aedd187a3a1cdafb162727
…into cdpd-master * changes: CDPD-62588, KNOX-2972: Session resource can generate application logout URL with profile/topologies query parameters (apache#808) CDPD-62595, KNOX-2970: Removing KnoxSSO cookie from the token state service upon logout (apache#806) CDPD-62598, KNOX-2971: Applying word wrapping in the comment and metadata columns on the Token Management UI (apache#807) CDPD-62592, KNOX-2969: KnoxSSO Cookies should be ignored while calculating token limit per user (apache#805) CDPD-62585, KNOX-2968: Batch token enable action should succeed even if enabled KnoxSSO cookies are selected (apache#804) CDPD-61809, KNOX-2961: Knox SSO cookie Invalidation - Phase II (apache#799) CDPD-61184, KNOX-2961: Knox SSO cookie Invalidation - Phase I (apache#797)
What changes were proposed in this pull request?
The
KNOXSSO
service is modified in a way such that it saves the generated SSO cookie using Knox's token state service capabilities in case token management is enabled inKNOXSSO
's configuration (using the well-knownknox.token.exp.server-managed=true
parameter).This is only the SSO cookie generation side of the feature. The verification side also needs to be configured the same way: the
SSOCookieProvider
configuration must have the same parameter to enable this new feature.In addition to the save/verify changes, the Token Management page is updated:
How was this patch tested?
Manually tested using PAM, LDAP, and PAC4J (SAML2 and OIDC) authentication mechanisms. I flipped the
knox.token.exp.server-managed
totrue
inknoxsso
,homepage
, andmanager
topologies.Logged into the Knox home page (contains some valid UI links in the sandbox topology) as well as opened the Token Management and Token Generation pages. I also opened a private window with the Token Management page to mimic a system administrator (a superuser who has the power to disable tokens for other users).
Confirmed that I can proxy some UIs from the Knox Home page and could generate manage tokens as usual.
Then, in the private window, I disabled the previously generated SSO cookie for my session in the non-private window and confirmed that I was redirected to the Knox login page or to my configured global logout redirect in case of Pac4j authentication (for this feature to work with Pac4j, the
knox.global.logout.page.url
configuration is a must-have parameter ingateway-site.xml
).This is how the Token Management page looks like with my new changes:
![Screenshot 2023-10-02 at 10 18 28](https://private-user-images.githubusercontent.com/34065904/271918630-409416fb-8739-4fbb-bf05-b9e3333961a9.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk1NTc2MDUsIm5iZiI6MTcxOTU1NzMwNSwicGF0aCI6Ii8zNDA2NTkwNC8yNzE5MTg2MzAtNDA5NDE2ZmItODczOS00ZmJiLWJmMDUtYjllMzMzMzk2MWE5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjI4VDA2NDgyNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWU0M2Q1M2EwY2MzNDg0ZjA2NGYwMTJlN2Q2OGU2MzllN2M5YjRlZmZmZDc5NDVmN2NlNTI4MWU0ODFhMzUzMWQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.h_4f24ZhrkUQCgb_sbDKh-XhCIXKkoxMfcUfDjmf-jM)
Important note: as the commit message suggests, this is only the 1st phase of the job. In the 2nd one, two new improvements are coming: