in gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/filter/Pac4jDispatcherFilter.java [145:260]
public void init( FilterConfig filterConfig ) throws ServletException {
// JWT service
final ServletContext context = filterConfig.getServletContext();
CryptoService cryptoService = null;
String clusterName = null;
if (context != null) {
GatewayServices services = (GatewayServices) context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
clusterName = (String) context.getAttribute(GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE);
if (services != null) {
keystoreService = services.getService(ServiceType.KEYSTORE_SERVICE);
cryptoService = services.getService(ServiceType.CRYPTO_SERVICE);
aliasService = services.getService(ServiceType.ALIAS_SERVICE);
masterService = services.getService(ServiceType.MASTER_SERVICE);
}
}
// crypto service, alias service and cluster name are mandatory
if (cryptoService == null || aliasService == null || clusterName == null) {
log.cryptoServiceAndAliasServiceAndClusterNameRequired();
throw new ServletException("The crypto service, alias service and cluster name are required.");
}
try {
aliasService.getPasswordFromAliasForCluster(clusterName, KnoxSessionStore.PAC4J_PASSWORD, true);
} catch (AliasServiceException e) {
log.unableToGenerateAPasswordForEncryption(e);
throw new ServletException("Unable to generate a password for encryption.");
}
// url to SSO authentication provider
String pac4jCallbackUrl = filterConfig.getInitParameter(PAC4J_CALLBACK_URL);
if (pac4jCallbackUrl == null) {
log.ssoAuthenticationProviderUrlRequired();
throw new ServletException("Required pac4j callback URL is missing.");
}
// client name from servlet parameter (mandatory)
final String clientNameParameter = filterConfig.getInitParameter(PAC4J_CLIENT_NAME_PARAM);
final String oidcType = filterConfig.getInitParameter(PAC4J_OIDC_TYPE);
/*
add the callback parameter to know it's a callback,
Azure AD does not honor query param so we add callback param as path element.
*/
if (AzureAdClient.class.getSimpleName().equals(clientNameParameter) || (
!StringUtils.isBlank(oidcType) && PAC4J_OICD_TYPE_AZURE
.equals(oidcType))) {
pac4jCallbackUrl = pac4jCallbackUrl + URL_PATH_SEPARATOR + PAC4J_CALLBACK_PARAMETER;
} else {
pac4jCallbackUrl = CommonHelper.addParameter(pac4jCallbackUrl, PAC4J_CALLBACK_PARAMETER, "true");
}
final Config config;
final String clientName;
if (TEST_BASIC_AUTH.equalsIgnoreCase(clientNameParameter)) {
// test configuration
final IndirectBasicAuthClient indirectBasicAuthClient = new IndirectBasicAuthClient(new SimpleTestUsernamePasswordAuthenticator());
indirectBasicAuthClient.setRealmName("Knox TEST");
config = new Config(pac4jCallbackUrl, indirectBasicAuthClient);
clientName = "IndirectBasicAuthClient";
} else {
// get clients from the init parameters
final Map<String, String> properties = new HashMap<>();
final Enumeration<String> names = filterConfig.getInitParameterNames();
addDefaultConfig(clientNameParameter, properties);
while (names.hasMoreElements()) {
final String key = names.nextElement();
properties.put(key, resolveAlias(clusterName, key, filterConfig.getInitParameter(key)));
}
final PropertiesConfigFactory propertiesConfigFactory = new PropertiesConfigFactory(pac4jCallbackUrl, properties);
config = propertiesConfigFactory.build();
final List<Client> clients = config.getClients().getClients();
if (clients == null || clients.isEmpty()) {
log.atLeastOnePac4jClientMustBeDefined();
throw new ServletException("At least one pac4j client must be defined.");
}
clientName = CommonHelper.isBlank(clientNameParameter) ? clients.get(0).getName() : clientNameParameter;
/* do we need to exclude groups? */
setSessionStoreConfig(filterConfig, PAC4J_SESSION_STORE_EXCLUDE_GROUPS, PAC4J_SESSION_STORE_EXCLUDE_GROUPS_DEFAULT);
/* do we need to exclude roles? */
setSessionStoreConfig(filterConfig, PAC4J_SESSION_STORE_EXCLUDE_ROLES, PAC4J_SESSION_STORE_EXCLUDE_ROLES_DEFAULT);
/* do we need to exclude permissions? */
setSessionStoreConfig(filterConfig, PAC4J_SESSION_STORE_EXCLUDE_PERMISSIONS, PAC4J_SESSION_STORE_EXCLUDE_PERMISSIONS_DEFAULT);
/* do we need to exclude custom attributes? */
setSessionStoreConfig(filterConfig, PAC4J_SESSION_STORE_EXCLUDE_CUSTOM_ATTRIBUTES, PAC4J_SESSION_STORE_EXCLUDE_CUSTOM_ATTRIBUTES_DEFAULT);
/* add cookie expiry */
setSessionStoreConfig(filterConfig, PAC4J_COOKIE_MAX_AGE, PAC4J_COOKIE_MAX_AGE_DEFAULT);
//decorating client configuration (if needed)
PAC4J_CLIENT_CONFIGURATION_DECORATOR.decorateClients(clients, properties);
}
callbackFilter = new CallbackFilter(config);
callbackFilter.init(filterConfig);
securityFilter = new SecurityFilter(config);
securityFilter.setClients(clientName);
final String domainSuffix = filterConfig.getInitParameter(PAC4J_COOKIE_DOMAIN_SUFFIX_PARAM);
final String sessionStoreVar = filterConfig.getInitParameter(PAC4J_SESSION_STORE);
SessionStore sessionStore;
if(!StringUtils.isBlank(sessionStoreVar) && JEESessionStore.class.getName().contains(sessionStoreVar) ) {
/* NOTE: this is a final variable, and will be used by all requests in Knox */
sessionStore = JEESessionStore.INSTANCE;
} else {
sessionStore = new KnoxSessionStore(cryptoService, clusterName, domainSuffix, sessionStoreConfigs);
}
config.setSessionStore(sessionStore);
SessionInvalidators.KNOX_SSO_INVALIDATOR.registerSessionInvalidator(this);
GatewayConfig gatewayConfig = (GatewayConfig) context.getAttribute(GatewayConfig.GATEWAY_CONFIG_ATTRIBUTE);
SSL_ENABLED = gatewayConfig.isSSLEnabled();
}