Search in sources :

Example 1 with RequestContext

use of org.apache.ranger.common.RequestContext in project ranger by apache.

the class RangerSecurityContextFormationFilter method doFilter.

/*
	 * (non-Javadoc)
	 *
	 * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
	 * javax.servlet.ServletResponse, javax.servlet.FilterChain)
	 */
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    try {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (!(auth instanceof AnonymousAuthenticationToken)) {
            HttpServletRequest httpRequest = (HttpServletRequest) request;
            HttpSession httpSession = httpRequest.getSession(false);
            // [1]get the context from session
            RangerSecurityContext context = null;
            if (httpSession != null) {
                context = (RangerSecurityContext) httpSession.getAttribute(AKA_SC_SESSION_KEY);
            }
            int clientTimeOffset = 0;
            if (context == null) {
                context = new RangerSecurityContext();
                httpSession.setAttribute(AKA_SC_SESSION_KEY, context);
            }
            String userAgent = httpRequest.getHeader(USER_AGENT);
            clientTimeOffset = RestUtil.getTimeOffset(httpRequest);
            // Get the request specific info
            RequestContext requestContext = new RequestContext();
            String reqIP = testIP;
            if (testIP == null) {
                reqIP = httpRequest.getRemoteAddr();
            }
            requestContext.setIpAddress(reqIP);
            requestContext.setUserAgent(userAgent);
            requestContext.setDeviceType(httpUtil.getDeviceType(httpRequest));
            requestContext.setServerRequestId(guidUtil.genGUID());
            requestContext.setRequestURL(httpRequest.getRequestURI());
            requestContext.setClientTimeOffsetInMinute(clientTimeOffset);
            context.setRequestContext(requestContext);
            RangerContextHolder.setSecurityContext(context);
            UserSessionBase userSession = sessionMgr.processSuccessLogin(XXAuthSession.AUTH_TYPE_PASSWORD, userAgent, httpRequest);
            if (userSession != null) {
                Object ssoEnabledObj = request.getAttribute("ssoEnabled");
                Boolean ssoEnabled = ssoEnabledObj != null ? Boolean.valueOf(String.valueOf(ssoEnabledObj)) : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
                userSession.setSSOEnabled(ssoEnabled);
                if (userSession.getClientTimeOffsetInMinute() == 0) {
                    userSession.setClientTimeOffsetInMinute(clientTimeOffset);
                }
            }
            context.setUserSession(userSession);
        }
        HttpServletResponse res = (HttpServletResponse) response;
        res.setHeader("X-Frame-Options", "DENY");
        res.setHeader("X-Content-Type-Options", "nosniff");
        res.setHeader("X-XSS-Protection", "1; mode=block");
        res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
        chain.doFilter(request, res);
    } finally {
        // [4]remove context from thread-local
        RangerContextHolder.resetSecurityContext();
    }
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) RangerSecurityContext(org.apache.ranger.security.context.RangerSecurityContext) Authentication(org.springframework.security.core.Authentication) HttpSession(javax.servlet.http.HttpSession) HttpServletResponse(javax.servlet.http.HttpServletResponse) RequestContext(org.apache.ranger.common.RequestContext) AnonymousAuthenticationToken(org.springframework.security.authentication.AnonymousAuthenticationToken) UserSessionBase(org.apache.ranger.common.UserSessionBase)

Aggregations

HttpServletRequest (javax.servlet.http.HttpServletRequest)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 HttpSession (javax.servlet.http.HttpSession)1 RequestContext (org.apache.ranger.common.RequestContext)1 UserSessionBase (org.apache.ranger.common.UserSessionBase)1 RangerSecurityContext (org.apache.ranger.security.context.RangerSecurityContext)1 AnonymousAuthenticationToken (org.springframework.security.authentication.AnonymousAuthenticationToken)1 Authentication (org.springframework.security.core.Authentication)1