AMBARI-2283. SecurityFilter does not allow hostnames with non-alphabetic characters. (Ximo Guanter via mahadev)

git-svn-id: https://svn.apache.org/repos/asf/incubator/ambari/trunk@1490572 13f79535-47bb-0310-9956-ffa450edef68

ambari-project/pom.xml

@@ -147,6 +147,12 @@
         <artifactId>spring-security-web</artifactId>
         <version>3.1.2.RELEASE</version>
       </dependency>
+      <dependency>
+        <groupId>org.springframework</groupId>
+        <artifactId>spring-mock</artifactId>
+        <version>2.0.8</version>
+        <scope>test</scope>
+      </dependency>
       <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-ldap</artifactId>

ambari-server/pom.xml

@@ -516,6 +516,11 @@
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-web</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-mock</artifactId>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-ldap</artifactId>

ambari-server/src/main/java/org/apache/ambari/server/security/SecurityFilter.java

@@ -19,6 +19,7 @@
 package org.apache.ambari.server.security;
 
 import java.io.IOException;
+import java.net.URL;
 import java.util.regex.Pattern;
 
 import javax.servlet.Filter;
@@ -49,18 +50,20 @@ public class SecurityFilter implements Filter {
 
     HttpServletRequest req = (HttpServletRequest) serReq;
     String reqUrl = req.getRequestURL().toString();
-	
-    if (serReq.getLocalPort() == AmbariServer.AGENT_ONE_WAY_AUTH) {
+
+    LOG.debug("Filtering " + reqUrl + " for security purposes");
+    if (serReq.getLocalPort() != AmbariServer.AGENT_TWO_WAY_AUTH) {
       if (isRequestAllowed(reqUrl)) {
         filtCh.doFilter(serReq, serResp);
       }
       else {
-        LOG.warn("This request is not allowed on this port");
+        LOG.warn("This request is not allowed on this port: " + reqUrl);
       }
-
-	}
-	else
+    }
+	  else {
+      LOG.debug("Request can continue on secure port " + serReq.getLocalPort());
       filtCh.doFilter(serReq, serResp);
+    }
   }
 
   @Override
@@ -68,26 +71,30 @@ public class SecurityFilter implements Filter {
   }
 
   private boolean isRequestAllowed(String reqUrl) {
-	try {
+    try {
+      URL url = new URL(reqUrl);
+      if (!"https".equals(url.getProtocol())) {
+        LOG.warn(String.format("Request %s is not using HTTPS", reqUrl));
+        return false;
+      }
+
+      if (Pattern.matches("/cert/ca(/?)", url.getPath())) {
+        return true;
+      }
+
+      if (Pattern.matches("/certs/[^/0-9][^/]*", url.getPath())) {
+        return true;
+      }
+
+      if (Pattern.matches("/resources/.*", url.getPath())) {
+        return true;
+      }
 
-      boolean isMatch = Pattern.matches("https://[A-z]*:[0-9]*/cert/ca[/]*", reqUrl);
-		
-      if (isMatch)
-    	  return true;
-		
-		 isMatch = Pattern.matches("https://[A-z]*:[0-9]*/certs/[A-z0-9-.]*", reqUrl);
-		
-		 if (isMatch)
-			 return true;
-		
-		 isMatch = Pattern.matches("https://[A-z]*:[0-9]*/resources/.*", reqUrl);
-		
-		 if (isMatch)
-			 return true;
-		
-	} catch (Exception e) {
-	}
-  LOG.warn("Request " + reqUrl + " doesn't match any pattern.");
-	return false;
+    } catch (Exception e) {
+      LOG.warn("Exception while validating if request is secure " +
+        e.toString());
+    }
+    LOG.warn("Request " + reqUrl + " doesn't match any pattern.");
+    return false;
   }
 }