Merge pull request #522 from bsinno/fix_dos_filter
Fix to many request filter URL configuration
This commit is contained in:
@@ -9,6 +9,7 @@
|
|||||||
package org.eclipse.hawkbit.autoconfigure.security;
|
package org.eclipse.hawkbit.autoconfigure.security;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
import java.util.Arrays;
|
||||||
|
|
||||||
import javax.annotation.PostConstruct;
|
import javax.annotation.PostConstruct;
|
||||||
import javax.servlet.Filter;
|
import javax.servlet.Filter;
|
||||||
@@ -49,8 +50,8 @@ import org.springframework.beans.factory.annotation.Autowired;
|
|||||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
|
||||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
|
||||||
import org.springframework.boot.autoconfigure.security.SecurityProperties;
|
import org.springframework.boot.autoconfigure.security.SecurityProperties;
|
||||||
import org.springframework.boot.context.embedded.FilterRegistrationBean;
|
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
||||||
import org.springframework.boot.context.embedded.ServletListenerRegistrationBean;
|
import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
|
||||||
import org.springframework.context.annotation.AdviceMode;
|
import org.springframework.context.annotation.AdviceMode;
|
||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
import org.springframework.context.annotation.Configuration;
|
import org.springframework.context.annotation.Configuration;
|
||||||
@@ -100,11 +101,13 @@ public class SecurityManagedConfiguration {
|
|||||||
|
|
||||||
private static final Logger LOG = LoggerFactory.getLogger(SecurityManagedConfiguration.class);
|
private static final Logger LOG = LoggerFactory.getLogger(SecurityManagedConfiguration.class);
|
||||||
|
|
||||||
|
private static final int DOS_FILTER_ORDER = 1;
|
||||||
|
|
||||||
@Autowired
|
@Autowired
|
||||||
private AuthenticationConfiguration configuration;
|
private AuthenticationConfiguration configuration;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return the {@link UserAuthenticationFilter} to include into the SP
|
* @return the {@link UserAuthenticationFilter} to include into the hawkBit
|
||||||
* security configuration.
|
* security configuration.
|
||||||
* @throws Exception
|
* @throws Exception
|
||||||
* lazy bean exception maybe if the authentication manager
|
* lazy bean exception maybe if the authentication manager
|
||||||
@@ -167,8 +170,11 @@ public class SecurityManagedConfiguration {
|
|||||||
@ConditionalOnClass(DdiApiConfiguration.class)
|
@ConditionalOnClass(DdiApiConfiguration.class)
|
||||||
public FilterRegistrationBean dosDDiFilter(final HawkbitSecurityProperties securityProperties) {
|
public FilterRegistrationBean dosDDiFilter(final HawkbitSecurityProperties securityProperties) {
|
||||||
|
|
||||||
final FilterRegistrationBean filterRegBean = dosFilter(securityProperties);
|
final FilterRegistrationBean filterRegBean = dosFilter(securityProperties.getDos().getFilter(),
|
||||||
filterRegBean.addUrlPatterns("/{tenant}/controller/v1/**");
|
securityProperties.getClients());
|
||||||
|
filterRegBean.addUrlPatterns("/{tenant}/controller/v1/*");
|
||||||
|
filterRegBean.setOrder(DOS_FILTER_ORDER);
|
||||||
|
filterRegBean.setName("dosDDiFilter");
|
||||||
|
|
||||||
return filterRegBean;
|
return filterRegBean;
|
||||||
}
|
}
|
||||||
@@ -253,23 +259,25 @@ public class SecurityManagedConfiguration {
|
|||||||
* service protection filter in the filter chain
|
* service protection filter in the filter chain
|
||||||
*/
|
*/
|
||||||
@Bean
|
@Bean
|
||||||
@Order(52)
|
|
||||||
public FilterRegistrationBean dosSystemFilter(final HawkbitSecurityProperties securityProperties) {
|
public FilterRegistrationBean dosSystemFilter(final HawkbitSecurityProperties securityProperties) {
|
||||||
|
|
||||||
final FilterRegistrationBean filterRegBean = dosFilter(securityProperties);
|
final FilterRegistrationBean filterRegBean = dosFilter(securityProperties.getDos().getFilter(),
|
||||||
filterRegBean.addUrlPatterns("/system/*");
|
securityProperties.getClients());
|
||||||
|
filterRegBean.setUrlPatterns(Arrays.asList("/system/*"));
|
||||||
|
filterRegBean.setOrder(DOS_FILTER_ORDER);
|
||||||
|
filterRegBean.setName("dosSystemFilter");
|
||||||
|
|
||||||
return filterRegBean;
|
return filterRegBean;
|
||||||
}
|
}
|
||||||
|
|
||||||
private static FilterRegistrationBean dosFilter(final HawkbitSecurityProperties securityProperties) {
|
private static FilterRegistrationBean dosFilter(final HawkbitSecurityProperties.Dos.Filter filterProperties,
|
||||||
|
final HawkbitSecurityProperties.Clients clientProperties) {
|
||||||
|
|
||||||
final FilterRegistrationBean filterRegBean = new FilterRegistrationBean();
|
final FilterRegistrationBean filterRegBean = new FilterRegistrationBean();
|
||||||
|
|
||||||
filterRegBean.setFilter(new DosFilter(securityProperties.getDos().getFilter().getMaxRead(),
|
filterRegBean.setFilter(new DosFilter(filterProperties.getMaxRead(), filterProperties.getMaxWrite(),
|
||||||
securityProperties.getDos().getFilter().getMaxWrite(),
|
filterProperties.getWhitelist(), clientProperties.getBlacklist(),
|
||||||
securityProperties.getDos().getFilter().getWhitelist(), securityProperties.getClients().getBlacklist(),
|
clientProperties.getRemoteIpHeader()));
|
||||||
securityProperties.getClients().getRemoteIpHeader()));
|
|
||||||
|
|
||||||
return filterRegBean;
|
return filterRegBean;
|
||||||
}
|
}
|
||||||
@@ -330,8 +338,11 @@ public class SecurityManagedConfiguration {
|
|||||||
@Bean
|
@Bean
|
||||||
public FilterRegistrationBean dosMgmtFilter(final HawkbitSecurityProperties securityProperties) {
|
public FilterRegistrationBean dosMgmtFilter(final HawkbitSecurityProperties securityProperties) {
|
||||||
|
|
||||||
final FilterRegistrationBean filterRegBean = dosFilter(securityProperties);
|
final FilterRegistrationBean filterRegBean = dosFilter(securityProperties.getDos().getFilter(),
|
||||||
filterRegBean.addUrlPatterns("/rest/**");
|
securityProperties.getClients());
|
||||||
|
filterRegBean.setUrlPatterns(Arrays.asList("/rest/*", "/api/*"));
|
||||||
|
filterRegBean.setOrder(DOS_FILTER_ORDER);
|
||||||
|
filterRegBean.setName("dosMgmtFilter");
|
||||||
|
|
||||||
return filterRegBean;
|
return filterRegBean;
|
||||||
}
|
}
|
||||||
@@ -383,12 +394,35 @@ public class SecurityManagedConfiguration {
|
|||||||
@EnableVaadinSecurity
|
@EnableVaadinSecurity
|
||||||
@ConditionalOnClass(MgmtUiConfiguration.class)
|
@ConditionalOnClass(MgmtUiConfiguration.class)
|
||||||
public static class UISecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
|
public static class UISecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
|
||||||
|
|
||||||
@Autowired
|
@Autowired
|
||||||
private VaadinSecurityContext vaadinSecurityContext;
|
private VaadinSecurityContext vaadinSecurityContext;
|
||||||
|
|
||||||
@Autowired
|
@Autowired
|
||||||
private SecurityProperties springSecurityProperties;
|
private SecurityProperties springSecurityProperties;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Filter to protect the hawkBit management UI against to many requests.
|
||||||
|
*
|
||||||
|
* @param securityProperties
|
||||||
|
* for filter configuration
|
||||||
|
*
|
||||||
|
* @return the spring filter registration bean for registering a denial
|
||||||
|
* of service protection filter in the filter chain
|
||||||
|
*/
|
||||||
|
@Bean
|
||||||
|
public FilterRegistrationBean dosMgmtUiFilter(final HawkbitSecurityProperties securityProperties) {
|
||||||
|
|
||||||
|
final FilterRegistrationBean filterRegBean = dosFilter(securityProperties.getDos().getUiFilter(),
|
||||||
|
securityProperties.getClients());
|
||||||
|
// All URLs that can be called anonymous
|
||||||
|
filterRegBean.setUrlPatterns(Arrays.asList("/UI/login", "/UI/login/*", "/UI/logout", "/UI/logout/*"));
|
||||||
|
filterRegBean.setOrder(DOS_FILTER_ORDER);
|
||||||
|
filterRegBean.setName("dosMgmtUiFilter");
|
||||||
|
|
||||||
|
return filterRegBean;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* post construct for setting the authentication success handler for the
|
* post construct for setting the authentication success handler for the
|
||||||
* vaadin security context.
|
* vaadin security context.
|
||||||
|
|||||||
@@ -15,6 +15,9 @@ security.basic.realm=HawkBit
|
|||||||
security.user.name=admin
|
security.user.name=admin
|
||||||
security.user.password=admin
|
security.user.password=admin
|
||||||
|
|
||||||
|
# Ensure that DosFilter runs before Spring Security
|
||||||
|
security.filter-order=5
|
||||||
|
|
||||||
# Spring cloud bus and stream
|
# Spring cloud bus and stream
|
||||||
spring.cloud.bus.enabled=false
|
spring.cloud.bus.enabled=false
|
||||||
# Disable Cloud Bus default events
|
# Disable Cloud Bus default events
|
||||||
|
|||||||
@@ -48,8 +48,8 @@ public class DosFilter extends OncePerRequestFilter {
|
|||||||
private final Cache<String, AtomicInteger> writeCountCache = CacheBuilder.newBuilder()
|
private final Cache<String, AtomicInteger> writeCountCache = CacheBuilder.newBuilder()
|
||||||
.expireAfterAccess(1, TimeUnit.SECONDS).build();
|
.expireAfterAccess(1, TimeUnit.SECONDS).build();
|
||||||
|
|
||||||
private final Integer maxRead;
|
private final int maxRead;
|
||||||
private final Integer maxWrite;
|
private final int maxWrite;
|
||||||
|
|
||||||
private final Pattern whitelist;
|
private final Pattern whitelist;
|
||||||
|
|
||||||
@@ -73,7 +73,7 @@ public class DosFilter extends OncePerRequestFilter {
|
|||||||
* the header containing the forwarded IP address e.g.
|
* the header containing the forwarded IP address e.g.
|
||||||
* {@code x-forwarded-for}
|
* {@code x-forwarded-for}
|
||||||
*/
|
*/
|
||||||
public DosFilter(final Integer maxRead, final Integer maxWrite, final String ipDosWhiteListPattern,
|
public DosFilter(final int maxRead, final int maxWrite, final String ipDosWhiteListPattern,
|
||||||
final String ipBlackListPattern, final String forwardHeader) {
|
final String ipBlackListPattern, final String forwardHeader) {
|
||||||
|
|
||||||
this.maxRead = maxRead;
|
this.maxRead = maxRead;
|
||||||
|
|||||||
@@ -40,8 +40,7 @@ public class HawkbitSecurityProperties {
|
|||||||
private String blacklist = "";
|
private String blacklist = "";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Name of the http header from which the remote ip is extracted for DDI
|
* Name of the http header from which the remote ip is extracted.
|
||||||
* connected clients.
|
|
||||||
*/
|
*/
|
||||||
private String remoteIpHeader = "X-Forwarded-For";
|
private String remoteIpHeader = "X-Forwarded-For";
|
||||||
|
|
||||||
@@ -98,6 +97,11 @@ public class HawkbitSecurityProperties {
|
|||||||
private int maxRolloutGroupsPerRollout = 500;
|
private int maxRolloutGroupsPerRollout = 500;
|
||||||
|
|
||||||
private final Filter filter = new Filter();
|
private final Filter filter = new Filter();
|
||||||
|
private final Filter uiFilter = new Filter();
|
||||||
|
|
||||||
|
public Filter getUiFilter() {
|
||||||
|
return uiFilter;
|
||||||
|
}
|
||||||
|
|
||||||
public Filter getFilter() {
|
public Filter getFilter() {
|
||||||
return filter;
|
return filter;
|
||||||
|
|||||||
Reference in New Issue
Block a user