[ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

docs/security/shiroauthentication.md

@@ -182,12 +182,12 @@ securityManager.realms = $ldapRealm
  ```
 
 ### PAM
-[PAM](https://en.wikipedia.org/wiki/Pluggable_authentication_module) authentication support allows the reuse of existing authentication 
+[PAM](https://en.wikipedia.org/wiki/Pluggable_authentication_module) authentication support allows the reuse of existing authentication
 moduls on the host where Zeppelin is running. On a typical system modules are configured per service for example sshd, passwd, etc. under `/etc/pam.d/`. You can
 either reuse one of these services or create your own for Zeppelin. Activiting PAM authentication requires two parameters:
  1. realm: The Shiro realm being used
  2. service: The service configured under `/etc/pam.d/` to be used. The name here needs to be the same as the file name under `/etc/pam.d/`
- 
+
 ```
 [main]
  pamRealm=org.apache.zeppelin.realm.PamRealm
@@ -232,4 +232,3 @@ If you want to grant this permission to other users, you can change **roles[ ]**
 ## Other authentication methods
 
 - [HTTP Basic Authentication using NGINX](./authentication.html)
-

pom.xml

@@ -107,7 +107,7 @@
     <commons.collections.version>3.2.1</commons.collections.version>
     <commons.logging.version>1.1.1</commons.logging.version>
     <commons.cli.version>1.3.1</commons.cli.version>
-    <shiro.version>1.2.3</shiro.version>
+    <shiro.version>1.3.2</shiro.version>
 
     <!-- test library versions -->
     <junit.version>4.12</junit.version>

zeppelin-distribution/src/bin_license/LICENSE

@@ -95,8 +95,8 @@ The following components are provided under Apache License.
     (Apache 2.0) Lucene Suggest (org.apache.lucene:lucene-suggest:5.3.1 - http://lucene.apache.org/lucene-parent/lucene-suggest)
     (Apache 2.0) Elasticsearch: Core (org.elasticsearch:elasticsearch:2.1.0 - http://nexus.sonatype.org/oss-repository-hosting.html/parent/elasticsearch)
     (Apache 2.0) Joda convert (org.joda:joda-convert:1.8.1 - http://joda-convert.sourceforge.net)
-    (Apache 2.0) Shiro Core (org.apache.shiro:shiro-core:1.2.3 - https://shiro.apache.org)
-    (Apache 2.0) Shiro Web (org.apache.shiro:shiro-web:1.2.3 - https://shiro.apache.org)
+    (Apache 2.0) Shiro Core (org.apache.shiro:shiro-core:1.3.2 - https://shiro.apache.org)
+    (Apache 2.0) Shiro Web (org.apache.shiro:shiro-web:1.3.2 - https://shiro.apache.org)
     (Apache 2.0) SnakeYAML (org.yaml:snakeyaml:1.15 - http://www.snakeyaml.org)
     (Apache 2.0) Protocol Buffers (com.google.protobuf:protobuf-java:2.5.0 - https://github.com/google/protobuf/releases)
     (Apache 2.0) Alluxio Shell (org.alluxio:alluxio-shell:1.0.0 - http://alluxio.org)

zeppelin-server/pom.xml

@@ -478,7 +478,6 @@
         </dependencies>
       </dependencyManagement>
     </profile>
-
     <profile>
       <id>using-source-tree</id>
       <activation>

zeppelin-web/src/app/app.js

@@ -146,6 +146,7 @@ let zeppelinWebApp = angular.module('zeppelinWebApp', requiredModules)
 
   // handel logout on API failure
   .config(function ($httpProvider, $provide) {
+    $httpProvider.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest'
     $provide.factory('httpInterceptor', function ($q, $rootScope) {
       return {
         'responseError': function (rejection) {
@@ -175,12 +176,24 @@ function auth () {
     },
     crossDomain: true
   })
-  return $http.get(baseUrlSrv.getRestApiBase() + '/security/ticket').then(function (response) {
+  let config = {headers: { 'X-Requested-With': 'XMLHttpRequest' }}
+  return $http.get(baseUrlSrv.getRestApiBase() + '/security/ticket', config).then(function (response) {
     zeppelinWebApp.run(function ($rootScope) {
       $rootScope.ticket = angular.fromJson(response.data).body
+
+      $rootScope.ticket.screenUsername = $rootScope.ticket.principal
+      if ($rootScope.ticket.principal.startsWith('#Pac4j')) {
+        let re = ', name=(.*?),'
+        $rootScope.ticket.screenUsername = $rootScope.ticket.principal.match(re)[1]
+      }
     })
   }, function (errorResponse) {
     // Handle error case
+    let redirect = errorResponse.headers('Location')
+    if (errorResponse.status === 401 && redirect !== undefined) {
+      // Handle page redirect
+      window.location.href = redirect
+    }
   })
 }
 

zeppelin-web/src/components/navbar/navbar.controller.js

@@ -95,6 +95,7 @@ function NavCtrl ($scope, $rootScope, $http, $routeParams, $location,
       $http.post(logoutURL).error(function () {
         $rootScope.userName = ''
         $rootScope.ticket.principal = ''
+        $rootScope.ticket.screenUsername = ''
         $rootScope.ticket.ticket = ''
         $rootScope.ticket.roles = ''
         BootstrapDialog.show({
@@ -131,6 +132,7 @@ function NavCtrl ($scope, $rootScope, $http, $routeParams, $location,
   })
 
   $scope.$on('loginSuccess', function (event, param) {
+    $rootScope.ticket.screenUsername = $rootScope.ticket.principal
     listConfigurations()
     loadNotes()
     getHomeNote()

zeppelin-web/src/components/navbar/navbar.html

@@ -90,7 +90,7 @@
             <i ng-if="!navbar.connected" class="fa fa-circle server-disconnected"
                uib-tooltip="WebSocket Disconnected" tooltip-placement="bottom" style="margin-top: 7px; vertical-align: top"></i>
             <button ng-if="ticket" class="nav-btn dropdown-toggle" type="button" data-toggle="dropdown" style="margin:11px 5px 0 0; padding-left: 0px;">
-              <span class="username">{{ticket.principal}}</span>
+              <span class="username">{{ticket.screenUsername}}</span>
               <span class="caret" style="margin-bottom: 8px"></span>
             </button>
             <span ng-if="!ticket" style="margin: 5px;"></span>