Search in sources :

Example 1 with ShiroHttpServletRequest

use of org.apache.shiro.web.servlet.ShiroHttpServletRequest in project zeppelin by apache.

the class KnoxAuthenticationFilter method isAccessAllowed.

protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
    // Check with existing shiro authentication logic
    // https://github.com/apache/shiro/blob/shiro-root-1.3.2/web/src/main/java/org/apache/shiro/
    // web/filter/authc/AuthenticatingFilter.java#L123-L124
    boolean accessAllowed = super.isAccessAllowed(request, response, mappedValue) || !isLoginRequest(request, response) && isPermissive(mappedValue);
    if (accessAllowed) {
        accessAllowed = false;
        KnoxJwtRealm knoxJwtRealm = null;
        // TODO(jl): Is this logic really useful?
        DefaultWebSecurityManager defaultWebSecurityManager;
        String key = ThreadContext.SECURITY_MANAGER_KEY;
        defaultWebSecurityManager = (DefaultWebSecurityManager) ThreadContext.get(key);
        Collection<Realm> realms = defaultWebSecurityManager.getRealms();
        for (Object realm : realms) {
            if (realm instanceof KnoxJwtRealm) {
                knoxJwtRealm = (KnoxJwtRealm) realm;
                break;
            }
        }
        if (null != knoxJwtRealm) {
            for (Cookie cookie : ((ShiroHttpServletRequest) request).getCookies()) {
                if (cookie.getName().equals(knoxJwtRealm.getCookieName())) {
                    if (knoxJwtRealm.validateToken(cookie.getValue())) {
                        accessAllowed = true;
                    }
                    break;
                }
            }
        } else {
            LOGGER.error("Looks like this filter is enabled without enabling KnoxJwtRealm, please refer" + " to https://zeppelin.apache.org/docs/latest/security/shiroauthentication.html" + "#knox-sso");
        }
    }
    return accessAllowed;
}
Also used : Cookie(javax.servlet.http.Cookie) DefaultWebSecurityManager(org.apache.shiro.web.mgt.DefaultWebSecurityManager) ShiroHttpServletRequest(org.apache.shiro.web.servlet.ShiroHttpServletRequest) Realm(org.apache.shiro.realm.Realm)

Aggregations

Cookie (javax.servlet.http.Cookie)1 Realm (org.apache.shiro.realm.Realm)1 DefaultWebSecurityManager (org.apache.shiro.web.mgt.DefaultWebSecurityManager)1 ShiroHttpServletRequest (org.apache.shiro.web.servlet.ShiroHttpServletRequest)1