Author: thomas.heute(a)jboss.com Date: 2010-11-22 06:13:50 -0500 (Mon, 22 Nov 2010) New Revision: 5200 Added: epp/portal/branches/EPP_5_1_Branch/component/web/security/src/main/java/org/exoplatform/web/security/proxy/ epp/portal/branches/EPP_5_1_Branch/component/web/security/src/main/java/org/exoplatform/web/security/proxy/ProxyFilterService.java epp/portal/branches/EPP_5_1_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ProxyServletFilter.java Removed: epp/portal/branches/EPP_5_1_Branch/component/web/security/src/main/java/org/exoplatform/web/security/proxy/ProxyFilterService.java Modified: epp/portal/branches/EPP_5_1_Branch/gadgets/server/src/main/webapp/WEB-INF/web.xml epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/WEB-INF/conf/common/common-configuration.xml Log: JBEPP-642: Gadget proxy can serve as anonymous proxy GTNPORTAL-1674: Domain based gadget proxy filtering Copied: epp/portal/branches/EPP_5_1_Branch/component/web/security/src/main/java/org/exoplatform/web/security/proxy (from rev 5184, portal/trunk/component/web/security/src/main/java/org/exoplatform/web/security/proxy) Deleted: epp/portal/branches/EPP_5_1_Branch/component/web/security/src/main/java/org/exoplatform/web/security/proxy/ProxyFilterService.java =================================================================== --- portal/trunk/component/web/security/src/main/java/org/exoplatform/web/security/proxy/ProxyFilterService.java 2010-11-19 17:45:49 UTC (rev 5184) +++ epp/portal/branches/EPP_5_1_Branch/component/web/security/src/main/java/org/exoplatform/web/security/proxy/ProxyFilterService.java 2010-11-22 11:13:50 UTC (rev 5200) @@ -1,194 +0,0 @@ -/* - * Copyright (C) 2010 eXo Platform SAS. - * - * This is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as - * published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This software is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this software; if not, write to the Free - * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA - * 02110-1301 USA, or see the FSF site: http://www.fsf.org. - */ - -package org.exoplatform.web.security.proxy; - -import org.exoplatform.container.PortalContainer; -import org.exoplatform.container.xml.InitParams; -import org.exoplatform.container.xml.ValuesParam; -import org.gatein.common.logging.Logger; -import org.gatein.common.logging.LoggerFactory; - -import javax.servlet.http.HttpServletRequest; -import java.net.URI; -import java.util.ArrayList; -import java.util.Collections; -import java.util.List; -import java.util.regex.Pattern; - -/** - * The proxy filter service is used for filtering http access when it is performed by GateIn. - * The following rules applies to the filtering: - * - * <ul> - * <li>Same host URI grants access</li> - * <li>A black list match of the host denies access</li> - * <li>A white list match of the host grants access</li> - * <li>Access is denied</li> - * </ul> - * - * The service is configured by - * <ul> - * <li>a <code>white-list</code> parameter that specifies a list of white list rules</li> - * <li>a <code>black-list</code> parameter that specifies a list of black list rules</li> - * </ul> - * - * Rules are trimmed and the wildcard character can be used to match any number of character. - * - * @author <a href="mailto:julien.viet@exoplatform.com">Julien Viet</a> - * @version $Revision$ - */ -public class ProxyFilterService -{ - - /** . */ - private static final Logger log = LoggerFactory.getLogger(ProxyFilterService.class); - - /** . */ - private final List<Pattern> whiteList; - - /** . */ - private final List<Pattern> blackList; - - public ProxyFilterService(InitParams params) - { - this.whiteList = createList(params.getValuesParam("white-list")); - this.blackList = createList(params.getValuesParam("black-list")); - - // A bit of logging - log.debug("Proxy filter service white list " + whiteList); - log.debug("Proxy filter service black list " + blackList); - } - - private List<Pattern> createList(ValuesParam values) - { - if (values != null) - { - ArrayList<Pattern> patterns = new ArrayList<Pattern>(); - for (Object value : values.getValues()) - { - String s = ((String)value).trim(); - StringBuilder sb = new StringBuilder("^"); - for (int i = 0;i < s.length();i++) - { - char c = s.charAt(i); - switch (c) - { - case '*': - sb.append(".*"); - break; - case '[': - case '\\': - case '^': - case '$': - case '.': - case '|': - case '?': - case '+': - case '(': - case ')': - sb.append("\\"); - sb.append(c); - break; - default: - sb.append(c); - break; - } - } - sb.append("$"); - Pattern pattern = Pattern.compile(sb.toString()); - patterns.add(pattern); - } - return Collections.unmodifiableList(patterns); - } - else - { - return Collections.emptyList(); - } - } - - /** - * Returns true if access to a remote URI should be granted. - * - * @param request the servlet request doing the request - * @param container the portal container associated with the request - * @param remoteURI the remote URI to check - * @return the access to the remote URI - */ - public boolean accept( - HttpServletRequest request, - PortalContainer container, - URI remoteURI) - { - boolean trace = log.isTraceEnabled(); - - // - String remoteHost = remoteURI.getHost(); - - // Filter based on same server name - String remoteServerName = request.getServerName(); - if (remoteHost.equals(remoteServerName)) - { - if (trace) - { - log.trace("Same host matching for URI " + remoteURI); - } - return true; - } - - // Otherwise go through black list first - for (int i = 0;i < blackList.size();i++) - { - Pattern pattern = blackList.get(i); - boolean rejected = pattern.matcher(remoteHost).matches(); - if (trace) - { - log.trace("Black list " + pattern + (rejected ? " matched URI " : " did not match URI") + remoteURI); - } - if (rejected) - { - return false; - } - } - - // Finally go through white list first - for (int i = 0;i < whiteList.size();i++) - { - Pattern pattern = whiteList.get(i); - boolean accepted = pattern.matcher(remoteHost).matches(); - if (trace) - { - log.trace("White list " + pattern + (accepted ? " matched URI " : " did not match URI") + remoteURI); - } - if (accepted) - { - return true; - } - } - - // - if (trace) - { - log.trace("Rejected implicitely uri " + remoteURI); - } - - // - return false; - } -} Copied: epp/portal/branches/EPP_5_1_Branch/component/web/security/src/main/java/org/exoplatform/web/security/proxy/ProxyFilterService.java (from rev 5184, portal/trunk/component/web/security/src/main/java/org/exoplatform/web/security/proxy/ProxyFilterService.java) =================================================================== --- epp/portal/branches/EPP_5_1_Branch/component/web/security/src/main/java/org/exoplatform/web/security/proxy/ProxyFilterService.java (rev 0) +++ epp/portal/branches/EPP_5_1_Branch/component/web/security/src/main/java/org/exoplatform/web/security/proxy/ProxyFilterService.java 2010-11-22 11:13:50 UTC (rev 5200) @@ -0,0 +1,194 @@ +/* + * Copyright (C) 2010 eXo Platform SAS. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ + +package org.exoplatform.web.security.proxy; + +import org.exoplatform.container.PortalContainer; +import org.exoplatform.container.xml.InitParams; +import org.exoplatform.container.xml.ValuesParam; +import org.gatein.common.logging.Logger; +import org.gatein.common.logging.LoggerFactory; + +import javax.servlet.http.HttpServletRequest; +import java.net.URI; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.regex.Pattern; + +/** + * The proxy filter service is used for filtering http access when it is performed by GateIn. + * The following rules applies to the filtering: + * + * <ul> + * <li>Same host URI grants access</li> + * <li>A black list match of the host denies access</li> + * <li>A white list match of the host grants access</li> + * <li>Access is denied</li> + * </ul> + * + * The service is configured by + * <ul> + * <li>a <code>white-list</code> parameter that specifies a list of white list rules</li> + * <li>a <code>black-list</code> parameter that specifies a list of black list rules</li> + * </ul> + * + * Rules are trimmed and the wildcard character can be used to match any number of character. + * + * @author <a href="mailto:julien.viet@exoplatform.com">Julien Viet</a> + * @version $Revision$ + */ +public class ProxyFilterService +{ + + /** . */ + private static final Logger log = LoggerFactory.getLogger(ProxyFilterService.class); + + /** . */ + private final List<Pattern> whiteList; + + /** . */ + private final List<Pattern> blackList; + + public ProxyFilterService(InitParams params) + { + this.whiteList = createList(params.getValuesParam("white-list")); + this.blackList = createList(params.getValuesParam("black-list")); + + // A bit of logging + log.debug("Proxy filter service white list " + whiteList); + log.debug("Proxy filter service black list " + blackList); + } + + private List<Pattern> createList(ValuesParam values) + { + if (values != null) + { + ArrayList<Pattern> patterns = new ArrayList<Pattern>(); + for (Object value : values.getValues()) + { + String s = ((String)value).trim(); + StringBuilder sb = new StringBuilder("^"); + for (int i = 0;i < s.length();i++) + { + char c = s.charAt(i); + switch (c) + { + case '*': + sb.append(".*"); + break; + case '[': + case '\\': + case '^': + case '$': + case '.': + case '|': + case '?': + case '+': + case '(': + case ')': + sb.append("\\"); + sb.append(c); + break; + default: + sb.append(c); + break; + } + } + sb.append("$"); + Pattern pattern = Pattern.compile(sb.toString()); + patterns.add(pattern); + } + return Collections.unmodifiableList(patterns); + } + else + { + return Collections.emptyList(); + } + } + + /** + * Returns true if access to a remote URI should be granted. + * + * @param request the servlet request doing the request + * @param container the portal container associated with the request + * @param remoteURI the remote URI to check + * @return the access to the remote URI + */ + public boolean accept( + HttpServletRequest request, + PortalContainer container, + URI remoteURI) + { + boolean trace = log.isTraceEnabled(); + + // + String remoteHost = remoteURI.getHost(); + + // Filter based on same server name + String remoteServerName = request.getServerName(); + if (remoteHost.equals(remoteServerName)) + { + if (trace) + { + log.trace("Same host matching for URI " + remoteURI); + } + return true; + } + + // Otherwise go through black list first + for (int i = 0;i < blackList.size();i++) + { + Pattern pattern = blackList.get(i); + boolean rejected = pattern.matcher(remoteHost).matches(); + if (trace) + { + log.trace("Black list " + pattern + (rejected ? " matched URI " : " did not match URI") + remoteURI); + } + if (rejected) + { + return false; + } + } + + // Finally go through white list first + for (int i = 0;i < whiteList.size();i++) + { + Pattern pattern = whiteList.get(i); + boolean accepted = pattern.matcher(remoteHost).matches(); + if (trace) + { + log.trace("White list " + pattern + (accepted ? " matched URI " : " did not match URI") + remoteURI); + } + if (accepted) + { + return true; + } + } + + // + if (trace) + { + log.trace("Rejected implicitely uri " + remoteURI); + } + + // + return false; + } +} Copied: epp/portal/branches/EPP_5_1_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ProxyServletFilter.java (from rev 5184, portal/trunk/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ProxyServletFilter.java) =================================================================== --- epp/portal/branches/EPP_5_1_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ProxyServletFilter.java (rev 0) +++ epp/portal/branches/EPP_5_1_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ProxyServletFilter.java 2010-11-22 11:13:50 UTC (rev 5200) @@ -0,0 +1,110 @@ +/* + * Copyright (C) 2010 eXo Platform SAS. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ + +package org.exoplatform.portal.gadget.core; + +import org.exoplatform.container.PortalContainer; +import org.exoplatform.web.security.proxy.ProxyFilterService; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletContext; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.net.URI; + +/** + * The proxy servlet filter is a servlet filter placed in front of Shindig proxy servlet. + * It filters a request and allows only the request satisfying the following: + * <ul> + * <li>the request has an URL parameter</li> + * <li>the request can locate a container associated with the request</li> + * <li>the request can locate the {@link ProxyFilterService} within the container</li> + * <li>the method {@link ProxyFilterService#accept(HttpServletRequest, PortalContainer, URI)} invocation returns true</li> + * </ul> + * + * This service is located in front and does not use Shindig integration point (such as org.apache.shindig.gadgets.GadgetBlacklist} + * as the execution is performed by a thread that is not associated with the portal request precluding any access to + * information enabling contextual filtering. + * + * @author <a href="mailto:julien.viet@exoplatform.com">Julien Viet</a> + * @version $Revision$ + */ +public class ProxyServletFilter implements Filter +{ + + /** . */ + private ServletContext ctx; + + public void init(FilterConfig cfg) throws ServletException + { + this.ctx = cfg.getServletContext(); + } + + public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException + { + HttpServletRequest hreq = (HttpServletRequest)req; + HttpServletResponse hresp = (HttpServletResponse)resp; + + // Get URL + String url = hreq.getParameter("url"); + if (url == null) + { + hresp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "No URL"); + } + else + { + // Get container + PortalContainer container = PortalContainer.getInstance(ctx); + if (container == null) + { + hresp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Could not access container for servlet context " + ctx.getContextPath()); + } + else + { + ProxyFilterService service = (ProxyFilterService)container.getComponentInstanceOfType(ProxyFilterService.class); + if (service == null) + { + hresp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Could not access proxy filter service " + ctx.getContextPath()); + } + else + { + URI uri = URI.create(url); + if (!service.accept(hreq, container, uri)) + { + hresp.sendError(HttpServletResponse.SC_FORBIDDEN, "Gadget " + url + " is blacklisted"); + } + else + { + chain.doFilter(req, resp); + } + } + } + } + } + + public void destroy() + { + } +} Modified: epp/portal/branches/EPP_5_1_Branch/gadgets/server/src/main/webapp/WEB-INF/web.xml =================================================================== --- epp/portal/branches/EPP_5_1_Branch/gadgets/server/src/main/webapp/WEB-INF/web.xml 2010-11-22 07:01:01 UTC (rev 5199) +++ epp/portal/branches/EPP_5_1_Branch/gadgets/server/src/main/webapp/WEB-INF/web.xml 2010-11-22 11:13:50 UTC (rev 5200) @@ -26,6 +26,9 @@ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="Shindig" version="2.5"> + + <display-name>eXoGadgetServer</display-name> + <!-- configuration --> <!-- If you have your own Guice module(s), put them here as a colon-separated list. --> <context-param> @@ -44,6 +47,11 @@ <filter-name>authFilter</filter-name> <filter-class>org.apache.shindig.auth.AuthenticationServletFilter</filter-class> </filter> + + <filter> + <filter-name>ProxyServletFilter</filter-name> + <filter-class>org.exoplatform.portal.gadget.core.ProxyServletFilter</filter-class> + </filter> <filter-mapping> <filter-name>authFilter</filter-name> @@ -65,6 +73,11 @@ <url-pattern>/gadgets/api/rpc/*</url-pattern> </filter-mapping> + <filter-mapping> + <filter-name>ProxyServletFilter</filter-name> + <servlet-name>proxy</servlet-name> + </filter-mapping> + <listener> <listener-class>org.apache.shindig.common.servlet.GuiceServletContextListener</listener-class> </listener> Modified: epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/WEB-INF/conf/common/common-configuration.xml =================================================================== --- epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/WEB-INF/conf/common/common-configuration.xml 2010-11-22 07:01:01 UTC (rev 5199) +++ epp/portal/branches/EPP_5_1_Branch/web/portal/src/main/webapp/WEB-INF/conf/common/common-configuration.xml 2010-11-22 11:13:50 UTC (rev 5200) @@ -163,6 +163,23 @@ <type>org.exoplatform.groovyscript.text.TemplateService</type> </component> + <component> + <key>org.exoplatform.web.security.proxy.ProxyFilterService</key> + <type>org.exoplatform.web.security.proxy.ProxyFilterService</type> + <init-params> + <values-param> + <!-- The white list --> + <name>white-list</name> + <!-- We accept anything not black listed --> + <value>*</value> + </values-param> + <values-param> + <name>black-list</name> + <value>*.evil.org</value> + </values-param> + </init-params> + </component> + <external-component-plugins> <target-component>org.exoplatform.services.cache.ExoCacheFactory</target-component> <component-plugin>