Description
KNOX-2804 added a beneficial improvement in Knox's logic when dealing with JSON files and turned them into XML topologies: before the generated topology persisted, the possible values are XML-escaped to avoid errors in SAXParser.
However, this might cause backward-compatible issues in deployments, where the data in the given shared provider config or descriptor is already given in XML-friendy way.
For instance, using the following shared provider config will result in a bad XML topology:
{ "providers" : [ { "role" : "webappsec", "name" : "WebAppSec", "enabled" : true, "params" : { "xframe.options.enabled" : "true" } }, { "role" : "authentication", "name" : "ShiroProvider", "enabled" : true, "params" : { "main.ldapContextFactory" : "org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory", "main.ldapRealm" : "org.apache.knox.gateway.shirorealm.KnoxLdapRealm", "main.ldapRealm.authenticationCachingEnabled" : "false", "main.ldapRealm.contextFactory" : "$ldapContextFactory", "main.ldapRealm.contextFactory.authenticationMechanism" : "simple", "main.ldapRealm.contextFactory.url" : "ldap://localhost:33389", "main.ldapRealm.userDnTemplate" : "uid=0ou=people,dc=hadoop,dc=apache,dc=org", "main.ldapRealm.userSearchFilter" : "(&(&(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))", "redirectToUrl" : "/${GATEWAY_PATH}/knoxsso/knoxauth/login.html", "restrictedCookies" : "rememberme,WWW-Authenticate", "sessionTimeout" : "30", "urls./**" : "authcBasic" } }, { "role" : "identity-assertion", "name" : "Default", "enabled" : true, "params" : { } } ], "readOnly" : true }
The generated XML:
<?xml version="1.0" encoding="utf-8"?> <!--==============================================--> <!-- DO NOT EDIT. This is an auto-generated file. --> <!--==============================================--> <topology> <generated>true</generated> <gateway> <provider> <role>webappsec</role> <name>WebAppSec</name> <enabled>true</enabled> <param> <name>xframe.options.enabled</name> <value>true</value> </param> </provider> <provider> <role>authentication</role> <name>ShiroProvider</name> <enabled>true</enabled> <param> <name>main.ldapContextFactory</name> <value>org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory</value> </param> <param> <name>main.ldapRealm</name> <value>org.apache.knox.gateway.shirorealm.KnoxLdapRealm</value> </param> <param> <name>main.ldapRealm.authenticationCachingEnabled</name> <value>false</value> </param> <param> <name>main.ldapRealm.contextFactory</name> <value>$ldapContextFactory</value> </param> <param> <name>main.ldapRealm.contextFactory.authenticationMechanism</name> <value>simple</value> </param> <param> <name>main.ldapRealm.contextFactory.url</name> <value>ldap://localhost:33389</value> </param> <param> <name>main.ldapRealm.userDnTemplate</name> <value>uid=0ou=people,dc=hadoop,dc=apache,dc=org</value> </param> <param> <name>main.ldapRealm.userSearchFilter</name> <value>(&amp;(&amp;(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))</value> </param> <param> <name>redirectToUrl</name> <value>/${GATEWAY_PATH}/knoxsso/knoxauth/login.html</value> </param> <param> <name>restrictedCookies</name> <value>rememberme,WWW-Authenticate</value> </param> <param> <name>sessionTimeout</name> <value>30</value> </param> <param> <name>urls./**</name> <value>authcBasic</value> </param> </provider> <provider> <role>identity-assertion</role> <name>Default</name> <enabled>true</enabled> </provider> </gateway> <service> <role>KNOXSSO</role> <param> <name>knoxsso.token.ttl</name> <value>86400000</value> </param> <param> <name>knoxsso.token.sigalg</name> <value></value> </param> <param> <name>knoxsso.redirect.whitelist.regex</name> <value>^https?:\/\/(.*smolnar\.root\.xyz\.com)(?::[0-9]+)?(?:\/.*)?$</value> </param> </service> <application> <name>knoxauth</name> </application> </topology>
As you can see, the value of main.ldapRealm.userSearchFilter is double-escaped that makes the topology invalid.
Moreover, the previously added XML escape function is meant for XML 1.1 documents whereas this code generates XML 1.0, so that this should be changed too.
Attachments
Issue Links
- links to