Skip to content
Permalink
Browse files Browse the repository at this point in the history
Ensure we secure hawtio-karaf-terminal's /term context
  • Loading branch information
gashcrumb committed Mar 5, 2014
1 parent ea9d43f commit 5289715
Show file tree
Hide file tree
Showing 7 changed files with 123 additions and 11 deletions.
6 changes: 6 additions & 0 deletions hawtio-karaf-terminal/pom.xml
Expand Up @@ -30,6 +30,12 @@
<version>${project.version}</version>
</dependency>

<dependency>
<groupId>io.hawt</groupId>
<artifactId>hawtio-system</artifactId>
<version>${project.version}</version>
</dependency>

<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
Expand Down
@@ -0,0 +1,38 @@
package io.hawt.web.plugin.karaf.terminal;

import io.hawt.system.ConfigManager;

import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;

/**
* @author Stan Lewis
*/
public class KarafTerminalContextListener implements ServletContextListener {

private ConfigManager configManager = new ConfigManager();

@Override
public void contextInitialized(ServletContextEvent sce) {
try {
configManager.init();
} catch (Exception e) {
throw createServletException(e);
}
sce.getServletContext().setAttribute("ConfigManager", configManager);
}

@Override
public void contextDestroyed(ServletContextEvent sce) {
try {
configManager.destroy();
} catch (Exception e) {
throw createServletException(e);
}

}
protected RuntimeException createServletException(Exception e) {
return new RuntimeException(e);
}

}
@@ -1,18 +1,23 @@
package io.hawt.web.plugin.karaf.terminal;

import io.hawt.system.Helpers;
import org.apache.felix.service.command.CommandProcessor;
import org.apache.felix.service.command.CommandSession;
import org.apache.felix.service.threadio.ThreadIO;
import org.apache.karaf.shell.console.jline.Console;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.security.auth.Subject;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.*;
import java.lang.reflect.Constructor;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.util.zip.GZIPOutputStream;

/**
Expand All @@ -38,12 +43,32 @@ public ThreadIO getThreadIO() {

@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

HttpSession session = request.getSession(false);
if (session == null) {
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
if (subject == null) {
Helpers.doForbidden(response);
return;
}
session = request.getSession(true);
session.setAttribute("subject", subject);
} else {
Subject subject = (Subject) session.getAttribute("subject");
if (subject == null) {
session.invalidate();
Helpers.doForbidden(response);
return;
}
}

String encoding = request.getHeader("Accept-Encoding");
boolean supportsGzip = (encoding != null && encoding.toLowerCase().indexOf("gzip") > -1);
SessionTerminal st = (SessionTerminal) request.getSession(true).getAttribute("terminal");
SessionTerminal st = (SessionTerminal) session.getAttribute("terminal");
if (st == null || st.isClosed()) {
st = new SessionTerminal(getCommandProcessor(), getThreadIO());
request.getSession().setAttribute("terminal", st);
session.setAttribute("terminal", st);
}
String str = request.getParameter("k");
String f = request.getParameter("f");
Expand Down
42 changes: 42 additions & 0 deletions hawtio-karaf-terminal/src/main/webapp/WEB-INF/web.xml
Expand Up @@ -8,6 +8,44 @@
<description>hawtio</description>
<display-name>hawtio Karaf terminal plugin</display-name>

<env-entry>
<description>Enable/disable hawtio's authentication filter, value is really a boolean</description>
<env-entry-name>hawtio/authenticationEnabled</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>false</env-entry-value>
</env-entry>

<env-entry>
<description>Authorized user role, empty string disables authorization</description>
<env-entry-name>hawtio/role</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value></env-entry-value>
</env-entry>

<env-entry>
<description>JAAS classname that would contain the role principal, empty string disables authorization</description>
<env-entry-name>hawtio/rolePrincipalClasses</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value></env-entry-value>
</env-entry>

<env-entry>
<description>JAAS realm used to authenticate users</description>
<env-entry-name>hawtio/realm</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>*</env-entry-value>
</env-entry>

<filter>
<filter-name>AuthenticationFilter</filter-name>
<filter-class>io.hawt.web.AuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>AuthenticationFilter</filter-name>
<url-pattern>/term/*</url-pattern>
</filter-mapping>


<servlet>
<servlet-name>TerminalServlet</servlet-name>
<servlet-class>io.hawt.web.plugin.karaf.terminal.TerminalServlet</servlet-class>
Expand All @@ -18,5 +56,9 @@
<url-pattern>/term/*</url-pattern>
</servlet-mapping>

<listener>
<listener-class>io.hawt.web.plugin.karaf.terminal.KarafTerminalContextListener</listener-class>
</listener>

</web-app>

7 changes: 4 additions & 3 deletions hawtio-karaf-terminal/src/main/webapp/app/js/gogo.js
Expand Up @@ -6,7 +6,7 @@

gogo = { };

gogo.Terminal_ctor = function(div, width, height) {
gogo.Terminal_ctor = function(div, width, height, authHeader) {

var query0 = "w=" + width + "&h=" + height;
var query1 = query0 + "&k=";
Expand Down Expand Up @@ -47,6 +47,7 @@ gogo.Terminal_ctor = function(div, width, height) {
force = 0;
}
r.open("POST", "hawtio-karaf-terminal/term", true);
r.setRequestHeader('Authorization', authHeader);
r.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
r.onreadystatechange = function () {
if (r.readyState == 4) {
Expand Down Expand Up @@ -223,7 +224,7 @@ gogo.Terminal_ctor = function(div, width, height) {

}

gogo.Terminal = function(div, width, height) {
return new this.Terminal_ctor(div, width, height);
gogo.Terminal = function(div, width, height, authHeader) {
return new this.Terminal_ctor(div, width, height, authHeader);
}

6 changes: 4 additions & 2 deletions hawtio-karaf-terminal/src/main/webapp/app/js/gogoPlugin.js
Expand Up @@ -11,7 +11,7 @@ var Gogo = (function() {
when('/gogo', {
templateUrl: 'hawtio-karaf-terminal/app/html/gogo.html'
});
}).directive('gogoTerminal', function(log) {
}).directive('gogoTerminal', function(log, userDetails) {
return {
restrict: 'A',
link: function(scope, element, attrs) {
Expand Down Expand Up @@ -50,7 +50,9 @@ var Gogo = (function() {
'min-height': cssHeight
});

gogo.Terminal(element.get(0), width, height);
var authHeader = Core.getBasicAuthHeader(userDetails.username, userDetails.password);

gogo.Terminal(element.get(0), width, height, authHeader);

scope.$on("$destroy", function(e) {
document.onkeypress = null;
Expand Down
Expand Up @@ -105,9 +105,7 @@ public void doFilter(final ServletRequest request, final ServletResponse respons
}
}

boolean doAuthenticate = path.startsWith("/auth") ||
path.startsWith("/jolokia") ||
path.startsWith("/upload");
boolean doAuthenticate = true;

if (doAuthenticate) {
LOG.debug("Doing authentication and authorization for path {}", path);
Expand All @@ -129,7 +127,7 @@ public void execute(Subject subject) throws Exception {
break;
}
} else {
LOG.debug("No authentication needed for path {}", path);
LOG.warn("No authentication needed for path {}", path);
chain.doFilter(request, response);
}
}
Expand Down

0 comments on commit 5289715

Please sign in to comment.