lingwei.kong/hawkbit
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #522 from bsinno/fix_dos_filter

Browse Source 
Fix to many request filter URL configuration
This commit is contained in:
Kai Zimmermann
2017-05-18 14:36:17 +02:00
committed by GitHub
parent cacb32da1a 28765b168c
commit 21fca55b0e
4 changed files with 61 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java
View File

@@ -9,6 +9,7 @@
package org.eclipse.hawkbit.autoconfigure.security;
import java.io.IOException;
import java.util.Arrays;
import javax.annotation.PostConstruct;
import javax.servlet.Filter;
@@ -49,8 +50,8 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.context.embedded.FilterRegistrationBean;
import org.springframework.boot.context.embedded.ServletListenerRegistrationBean;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
import org.springframework.context.annotation.AdviceMode;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@@ -100,11 +101,13 @@ public class SecurityManagedConfiguration {
private static final Logger LOG = LoggerFactory.getLogger(SecurityManagedConfiguration.class);
private static final int DOS_FILTER_ORDER = 1;
@Autowired
private AuthenticationConfiguration configuration;
/**
* @return the {@link UserAuthenticationFilter} to include into the SP
* @return the {@link UserAuthenticationFilter} to include into the hawkBit
* security configuration.
* @throws Exception
* lazy bean exception maybe if the authentication manager
@@ -167,8 +170,11 @@ public class SecurityManagedConfiguration {
@ConditionalOnClass(DdiApiConfiguration.class)
public FilterRegistrationBean dosDDiFilter(final HawkbitSecurityProperties securityProperties) {
final FilterRegistrationBean filterRegBean = dosFilter(securityProperties);
filterRegBean.addUrlPatterns("/{tenant}/controller/v1/**");
final FilterRegistrationBean filterRegBean = dosFilter(securityProperties.getDos().getFilter(),
securityProperties.getClients());
filterRegBean.addUrlPatterns("/{tenant}/controller/v1/*");
filterRegBean.setOrder(DOS_FILTER_ORDER);
filterRegBean.setName("dosDDiFilter");
return filterRegBean;
}
@@ -253,23 +259,25 @@ public class SecurityManagedConfiguration {
* service protection filter in the filter chain
*/
@Bean
@Order(52)
public FilterRegistrationBean dosSystemFilter(final HawkbitSecurityProperties securityProperties) {
final FilterRegistrationBean filterRegBean = dosFilter(securityProperties);
filterRegBean.addUrlPatterns("/system/*");
final FilterRegistrationBean filterRegBean = dosFilter(securityProperties.getDos().getFilter(),
securityProperties.getClients());
filterRegBean.setUrlPatterns(Arrays.asList("/system/*"));
filterRegBean.setOrder(DOS_FILTER_ORDER);
filterRegBean.setName("dosSystemFilter");
return filterRegBean;
}
private static FilterRegistrationBean dosFilter(final HawkbitSecurityProperties securityProperties) {
private static FilterRegistrationBean dosFilter(final HawkbitSecurityProperties.Dos.Filter filterProperties,
final HawkbitSecurityProperties.Clients clientProperties) {
final FilterRegistrationBean filterRegBean = new FilterRegistrationBean();
filterRegBean.setFilter(new DosFilter(securityProperties.getDos().getFilter().getMaxRead(),
securityProperties.getDos().getFilter().getMaxWrite(),
securityProperties.getDos().getFilter().getWhitelist(), securityProperties.getClients().getBlacklist(),
securityProperties.getClients().getRemoteIpHeader()));
filterRegBean.setFilter(new DosFilter(filterProperties.getMaxRead(), filterProperties.getMaxWrite(),
filterProperties.getWhitelist(), clientProperties.getBlacklist(),
clientProperties.getRemoteIpHeader()));
return filterRegBean;
}
@@ -330,8 +338,11 @@ public class SecurityManagedConfiguration {
@Bean
public FilterRegistrationBean dosMgmtFilter(final HawkbitSecurityProperties securityProperties) {
final FilterRegistrationBean filterRegBean = dosFilter(securityProperties);
filterRegBean.addUrlPatterns("/rest/**");
final FilterRegistrationBean filterRegBean = dosFilter(securityProperties.getDos().getFilter(),
securityProperties.getClients());
filterRegBean.setUrlPatterns(Arrays.asList("/rest/*", "/api/*"));
filterRegBean.setOrder(DOS_FILTER_ORDER);
filterRegBean.setName("dosMgmtFilter");
return filterRegBean;
}
@@ -383,12 +394,35 @@ public class SecurityManagedConfiguration {
@EnableVaadinSecurity
@ConditionalOnClass(MgmtUiConfiguration.class)
public static class UISecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private VaadinSecurityContext vaadinSecurityContext;
@Autowired
private SecurityProperties springSecurityProperties;
/**
* Filter to protect the hawkBit management UI against to many requests.
*
* @param securityProperties
* for filter configuration
*
* @return the spring filter registration bean for registering a denial
* of service protection filter in the filter chain
*/
@Bean
public FilterRegistrationBean dosMgmtUiFilter(final HawkbitSecurityProperties securityProperties) {
final FilterRegistrationBean filterRegBean = dosFilter(securityProperties.getDos().getUiFilter(),
securityProperties.getClients());
// All URLs that can be called anonymous
filterRegBean.setUrlPatterns(Arrays.asList("/UI/login", "/UI/login/*", "/UI/logout", "/UI/logout/*"));
filterRegBean.setOrder(DOS_FILTER_ORDER);
filterRegBean.setName("dosMgmtUiFilter");
return filterRegBean;
}
/**
* post construct for setting the authentication success handler for the
* vaadin security context.

3
hawkbit-autoconfigure/src/main/resources/hawkbitdefaults.properties
View File

@@ -15,6 +15,9 @@ security.basic.realm=HawkBit
security.user.name=admin
security.user.password=admin
# Ensure that DosFilter runs before Spring Security
security.filter-order=5
# Spring cloud bus and stream
spring.cloud.bus.enabled=false
# Disable Cloud Bus default events

6
hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/DosFilter.java
View File

@@ -48,8 +48,8 @@ public class DosFilter extends OncePerRequestFilter {
private final Cache<String, AtomicInteger> writeCountCache = CacheBuilder.newBuilder()
.expireAfterAccess(1, TimeUnit.SECONDS).build();
private final Integer maxRead;
private final Integer maxWrite;
private final int maxRead;
private final int maxWrite;
private final Pattern whitelist;
@@ -73,7 +73,7 @@ public class DosFilter extends OncePerRequestFilter {
* the header containing the forwarded IP address e.g.
* {@code x-forwarded-for}
*/
public DosFilter(final Integer maxRead, final Integer maxWrite, final String ipDosWhiteListPattern,
public DosFilter(final int maxRead, final int maxWrite, final String ipDosWhiteListPattern,
final String ipBlackListPattern, final String forwardHeader) {
this.maxRead = maxRead;

8
hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/HawkbitSecurityProperties.java
View File

@@ -40,8 +40,7 @@ public class HawkbitSecurityProperties {
private String blacklist = "";
/**
* Name of the http header from which the remote ip is extracted for DDI
* connected clients.
* Name of the http header from which the remote ip is extracted.
*/
private String remoteIpHeader = "X-Forwarded-For";
@@ -98,6 +97,11 @@ public class HawkbitSecurityProperties {
private int maxRolloutGroupsPerRollout = 500;
private final Filter filter = new Filter();
private final Filter uiFilter = new Filter();
public Filter getUiFilter() {
return uiFilter;
}
public Filter getFilter() {
return filter;