AMBARI-17311. Modify HTTP headers to follow best security practices (Sangeeta Ravindran via rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/34c5686c Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/34c5686c Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/34c5686c Branch: refs/heads/branch-feature-AMBARI-18456 Commit: 34c5686c3a0f80a5c7b78ddf05bb41cb13202438 Parents: a80c5a2 Author: Sangeeta Ravindran <sangeeta.e.ravind...@gmail.com> Authored: Mon Oct 10 11:05:40 2016 -0400 Committer: Robert Levas <rle...@hortonworks.com> Committed: Mon Oct 10 11:09:58 2016 -0400 ---------------------------------------------------------------------- ambari-server/conf/unix/ambari.properties | 6 + ambari-server/conf/windows/ambari.properties | 6 + .../server/configuration/Configuration.java | 135 +++++++++++++++++++ .../security/AbstractSecurityHeaderFilter.java | 43 ++++++ .../AmbariServerSecurityHeaderFilter.java | 3 + .../AmbariViewsSecurityHeaderFilter.java | 3 + .../AbstractSecurityHeaderFilterTest.java | 38 +++++- .../AmbariServerSecurityHeaderFilterTest.java | 7 + .../AmbariViewsSecurityHeaderFilterTest.java | 6 + 9 files changed, 246 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/conf/unix/ambari.properties ---------------------------------------------------------------------- diff --git a/ambari-server/conf/unix/ambari.properties b/ambari-server/conf/unix/ambari.properties index 4dcbe99..371653f 100644 --- a/ambari-server/conf/unix/ambari.properties +++ b/ambari-server/conf/unix/ambari.properties @@ -113,11 +113,17 @@ rolling.upgrade.skip.packages.prefixes= http.strict-transport-security=max-age=31536000 http.x-xss-protection=1; mode=block http.x-frame-options=DENY +http.x-content-type-options=nosniff +http.cache-control=no-store +http.pragma=no-cache # HTTP Header settings for Ambari Views views.http.strict-transport-security=max-age=31536000 views.http.x-xss-protection=1; mode=block views.http.x-frame-options=SAMEORIGIN +views.http.x-content-type-options=nosniff +views.http.cache-control=no-store +views.http.pragma=no-cache mpacks.staging.path=$ROOT/var/lib/ambari-server/resources/mpacks http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/conf/windows/ambari.properties ---------------------------------------------------------------------- diff --git a/ambari-server/conf/windows/ambari.properties b/ambari-server/conf/windows/ambari.properties index 64cce3b..c1c0a99 100644 --- a/ambari-server/conf/windows/ambari.properties +++ b/ambari-server/conf/windows/ambari.properties @@ -93,10 +93,16 @@ ulimit.open.files=10000 http.strict-transport-security=max-age=31536000 http.x-xss-protection=1; mode=block http.x-frame-options=DENY +http.x-content-type-options=nosniff +http.cache-control=no-store +http.pragma=no-cache # HTTP Header settings for Ambari Views views.http.strict-transport-security=max-age=31536000 views.http.x-xss-protection=1; mode=block views.http.x-frame-options=SAMEORIGIN +views.http.x-content-type-options=nosniff +views.http.cache-control=no-store +views.http.pragma=no-cache mpacks.staging.path=resources\\mpacks http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index 2e850ef..e976f45 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -2182,6 +2182,27 @@ public class Configuration { "http.x-xss-protection", "1; mode=block"); /** + * The value that will be used to set the {@code X-Content-Type} HTTP response header. + */ + @Markdown(description = "The value that will be used to set the `X-CONTENT-TYPE` HTTP response header.") + public static final ConfigurationProperty<String> HTTP_X_CONTENT_TYPE_HEADER_VALUE = new ConfigurationProperty<>( + "http.x-content-type-options", "nosniff"); + + /** + * The value that will be used to set the {@code Cache-Control} HTTP response header. + */ + @Markdown(description = "The value that will be used to set the `Cache-Control` HTTP response header.") + public static final ConfigurationProperty<String> HTTP_CACHE_CONTROL_HEADER_VALUE = new ConfigurationProperty<>( + "http.cache-control", "no-store"); + + /** + * The value that will be used to set the {@code PRAGMA} HTTP response header. + */ + @Markdown(description = "The value that will be used to set the `PRAGMA` HTTP response header.") + public static final ConfigurationProperty<String> HTTP_PRAGMA_HEADER_VALUE = new ConfigurationProperty<>( + "http.pragma", "no-cache"); + + /** * The value that will be used to set the {@code Strict-Transport-Security} * HTTP response header for Ambari View requests. */ @@ -2207,6 +2228,30 @@ public class Configuration { "views.http.x-xss-protection", "1; mode=block"); /** + * The value that will be used to set the {@code X-Content-Type} HTTP response header. + * HTTP response header for Ambari View requests. + */ + @Markdown(description = "The value that will be used to set the `X-CONTENT-TYPE` HTTP response header for Ambari View requests.") + public static final ConfigurationProperty<String> VIEWS_HTTP_X_CONTENT_TYPE_HEADER_VALUE = new ConfigurationProperty<>( + "views.http.x-content-type-options", "nosniff"); + + /** + * The value that will be used to set the {@code Cache-Control} HTTP response header. + * HTTP response header for Ambari View requests. + */ + @Markdown(description = "The value that will be used to set the `Cache-Control` HTTP response header for Ambari View requests.") + public static final ConfigurationProperty<String> VIEWS_HTTP_CACHE_CONTROL_HEADER_VALUE = new ConfigurationProperty<>( + "views.http.cache-control", "no-store"); + + /** + * The value that will be used to set the {@code PRAGMA} HTTP response header. + * HTTP response header for Ambari View requests. + */ + @Markdown(description = "The value that will be used to set the `PRAGMA` HTTP response header for Ambari View requests.") + public static final ConfigurationProperty<String> VIEWS_HTTP_PRAGMA_HEADER_VALUE = new ConfigurationProperty<>( + "views.http.pragma", "no-cache"); + + /** * The time, in milliseconds, that requests to connect to a URL to retrieve * Version Definition Files (VDF) will wait before being terminated. */ @@ -3284,6 +3329,51 @@ public class Configuration { } /** + * Get the value that should be set for the <code>X-Content-Type</code> HTTP response header for Ambari Server UI. + * <p/> + * By default this will be <code>nosniff</code>. For example: + * <p/> + * <code> + * X-Content-Type: nosniff + * </code> + * + * @return the X-Content-Type value - null or "" indicates that the value is not set + */ + public String getXContentTypeHTTPResponseHeader() { + return getProperty(HTTP_X_CONTENT_TYPE_HEADER_VALUE); + } + + /** + * Get the value that should be set for the <code>Cache-Control</code> HTTP response header for Ambari Server UI. + * <p/> + * By default this will be <code>no-store</code>. For example: + * <p/> + * <code> + * Cache-control: no-store + * </code> + * + * @return the Cache-Control value - null or "" indicates that the value is not set + */ + public String getCacheControlHTTPResponseHeader() { + return getProperty(HTTP_CACHE_CONTROL_HEADER_VALUE); + } + + /** + * Get the value that should be set for the <code>Pragma</code> HTTP response header for Ambari Server UI. + * <p/> + * By default this will be <code>no-cache</code>. For example: + * <p/> + * <code> + * Pragma: no-cache + * </code> + * + * @return the Pragma value - null or "" indicates that the value is not set + */ + public String getPragmaHTTPResponseHeader() { + return getProperty(HTTP_PRAGMA_HEADER_VALUE); + } + + /** * Get the value that should be set for the <code>Strict-Transport-Security</code> HTTP response header for Ambari Views. * <p/> * By default this will be <code>max-age=31536000; includeSubDomains</code>. For example: @@ -3331,6 +3421,51 @@ public class Configuration { } /** + * Get the value that should be set for the <code>X-Content-Type</code> HTTP response header for Ambari Views. + * <p/> + * By default this will be <code>nosniff</code>. For example: + * <p/> + * <code> + * X-Content-Type: nosniff + * </code> + * + * @return the X-Content-Type value - null or "" indicates that the value is not set + */ + public String getViewsXContentTypeHTTPResponseHeader() { + return getProperty(VIEWS_HTTP_X_CONTENT_TYPE_HEADER_VALUE); + } + + /** + * Get the value that should be set for the <code>Cache-Control</code> HTTP response header for Ambari Views. + * <p/> + * By default this will be <code>no-store</code>. For example: + * <p/> + * <code> + * Cache-control: no-store + * </code> + * + * @return the Cache-Control value - null or "" indicates that the value is not set + */ + public String getViewsCacheControlHTTPResponseHeader() { + return getProperty(VIEWS_HTTP_CACHE_CONTROL_HEADER_VALUE); + } + + /** + * Get the value that should be set for the <code>Pragma</code> HTTP response header for Ambari Views. + * <p/> + * By default this will be <code>no-cache</code>. For example: + * <p/> + * <code> + * Pragma: no-cache + * </code> + * + * @return the Pragma value - null or "" indicates that the value is not set + */ + public String getViewsPragmaHTTPResponseHeader() { + return getProperty(VIEWS_HTTP_PRAGMA_HEADER_VALUE); + } + + /** * Check to see if the hostname of the agent is to be validated as a proper hostname or not * * @return true if agent hostnames should be checked as a valid hostnames; otherwise false http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java index 05c9ecb..423a013 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java @@ -53,6 +53,9 @@ public abstract class AbstractSecurityHeaderFilter implements Filter { protected final static String STRICT_TRANSPORT_HEADER = "Strict-Transport-Security"; protected final static String X_FRAME_OPTIONS_HEADER = "X-Frame-Options"; protected final static String X_XSS_PROTECTION_HEADER = "X-XSS-Protection"; + protected final static String X_CONTENT_TYPE_HEADER = "X-Content-Type-Options"; + protected final static String CACHE_CONTROL_HEADER = "Cache-Control"; + protected final static String PRAGMA_HEADER = "Pragma"; /** * The logger. @@ -87,6 +90,19 @@ public abstract class AbstractSecurityHeaderFilter implements Filter { * The value for the X-XSS-Protection HTTP response header. */ private String xXSSProtectionHeader = Configuration.HTTP_X_XSS_PROTECTION_HEADER_VALUE.getDefaultValue(); + /** + * The value for the Content-Type HTTP response header. + */ + private String xContentTypeHeader = Configuration.HTTP_X_CONTENT_TYPE_HEADER_VALUE.getDefaultValue(); + /** + * The value for the Cache-control HTTP response header. + */ + private String cacheControlHeader = Configuration.HTTP_CACHE_CONTROL_HEADER_VALUE.getDefaultValue(); + /** + * The value for the Pragma HTTP response header. + */ + private String pragmaHeader = Configuration.HTTP_PRAGMA_HEADER_VALUE.getDefaultValue(); + @Override public void init(FilterConfig filterConfig) throws ServletException { @@ -141,6 +157,18 @@ public abstract class AbstractSecurityHeaderFilter implements Filter { this.xXSSProtectionHeader = xXSSProtectionHeader; } + protected void setXContentTypeHeader(String xContentTypeHeader) { + this.xContentTypeHeader = xContentTypeHeader; + } + + protected void setCacheControlHeader(String cacheControlHeader) { + this.cacheControlHeader = cacheControlHeader; + } + + protected void setPragmaHeader(String pragmaHeader) { + this.pragmaHeader = pragmaHeader; + } + private void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse) { if (servletResponse instanceof HttpServletResponse) { HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse; @@ -159,6 +187,21 @@ public abstract class AbstractSecurityHeaderFilter implements Filter { if (!StringUtils.isEmpty(xXSSProtectionHeader)) { httpServletResponse.setHeader(X_XSS_PROTECTION_HEADER, xXSSProtectionHeader); } + + // Conditionally set the X-Content-Type HTTP response header if a value is supplied + if (!StringUtils.isEmpty(xContentTypeHeader)) { + httpServletResponse.setHeader(X_CONTENT_TYPE_HEADER, xContentTypeHeader); + } + + // Conditionally set the X-Cache-Control HTTP response header if a value is supplied + if (!StringUtils.isEmpty(cacheControlHeader)) { + httpServletResponse.setHeader(CACHE_CONTROL_HEADER, cacheControlHeader); + } + + // Conditionally set the X-Pragma HTTP response header if a value is supplied + if (!StringUtils.isEmpty(pragmaHeader)) { + httpServletResponse.setHeader(PRAGMA_HEADER, pragmaHeader); + } } } http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java index b40953b..aa00ac2 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java @@ -47,6 +47,9 @@ public class AmbariServerSecurityHeaderFilter extends AbstractSecurityHeaderFilt setStrictTransportSecurity(configuration.getStrictTransportSecurityHTTPResponseHeader()); setxFrameOptionsHeader(configuration.getXFrameOptionsHTTPResponseHeader()); setxXSSProtectionHeader(configuration.getXXSSProtectionHTTPResponseHeader()); + setXContentTypeHeader(configuration.getXContentTypeHTTPResponseHeader()); + setCacheControlHeader(configuration.getCacheControlHTTPResponseHeader()); + setPragmaHeader(configuration.getPragmaHTTPResponseHeader()); } } http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java index 5bff4e3..d1be8cc 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java @@ -43,5 +43,8 @@ public class AmbariViewsSecurityHeaderFilter extends AbstractSecurityHeaderFilte setStrictTransportSecurity(configuration.getViewsStrictTransportSecurityHTTPResponseHeader()); setxFrameOptionsHeader(configuration.getViewsXFrameOptionsHTTPResponseHeader()); setxXSSProtectionHeader(configuration.getViewsXXSSProtectionHTTPResponseHeader()); + setXContentTypeHeader(configuration.getViewsXContentTypeHTTPResponseHeader()); + setCacheControlHeader(configuration.getViewsCacheControlHTTPResponseHeader()); + setPragmaHeader(configuration.getViewsPragmaHTTPResponseHeader()); } } http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java index 7be70a3..d812ee6 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java @@ -95,7 +95,13 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport { expectLastCall().once(); servletResponse.setHeader(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER)); expectLastCall().once(); - + servletResponse.setHeader(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER)); + expectLastCall().once(); + servletResponse.setHeader(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER)); + expectLastCall().once(); + servletResponse.setHeader(AbstractSecurityHeaderFilter.PRAGMA_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER)); + expectLastCall().once(); + FilterChain filterChain = createStrictMock(FilterChain.class); filterChain.doFilter(servletRequest, servletResponse); expectLastCall().once(); @@ -141,6 +147,12 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport { expectLastCall().once(); servletResponse.setHeader(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER)); expectLastCall().once(); + servletResponse.setHeader(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER)); + expectLastCall().once(); + servletResponse.setHeader(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER)); + expectLastCall().once(); + servletResponse.setHeader(AbstractSecurityHeaderFilter.PRAGMA_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER)); + expectLastCall().once(); FilterChain filterChain = createStrictMock(FilterChain.class); filterChain.doFilter(servletRequest, servletResponse); @@ -171,6 +183,9 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport { properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER), "custom1"); properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER), "custom2"); properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER), "custom3"); + properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER), "custom4"); + properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER), "custom5"); + properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER), "custom6"); bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class)); bind(Configuration.class).toInstance(new Configuration(properties)); @@ -187,6 +202,12 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport { expectLastCall().once(); servletResponse.setHeader(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, "custom3"); expectLastCall().once(); + servletResponse.setHeader(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, "custom4"); + expectLastCall().once(); + servletResponse.setHeader(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, "custom5"); + expectLastCall().once(); + servletResponse.setHeader(AbstractSecurityHeaderFilter.PRAGMA_HEADER, "custom6"); + expectLastCall().once(); FilterChain filterChain = createStrictMock(FilterChain.class); filterChain.doFilter(servletRequest, servletResponse); @@ -218,6 +239,9 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport { properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER), "custom1"); properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER), "custom2"); properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER), "custom3"); + properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER), "custom4"); + properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER), "custom5"); + properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER), "custom6"); bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class)); bind(Configuration.class).toInstance(new Configuration(properties)); @@ -236,6 +260,12 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport { expectLastCall().once(); servletResponse.setHeader(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, "custom3"); expectLastCall().once(); + servletResponse.setHeader(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, "custom4"); + expectLastCall().once(); + servletResponse.setHeader(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, "custom5"); + expectLastCall().once(); + servletResponse.setHeader(AbstractSecurityHeaderFilter.PRAGMA_HEADER, "custom6"); + expectLastCall().once(); FilterChain filterChain = createStrictMock(FilterChain.class); filterChain.doFilter(servletRequest, servletResponse); @@ -266,6 +296,9 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport { properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER), ""); properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER), ""); properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER), ""); + properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER), ""); + properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER), ""); + properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER), ""); bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class)); bind(Configuration.class).toInstance(new Configuration(properties)); @@ -309,6 +342,9 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport { properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER), ""); properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER), ""); properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER), ""); + properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER), ""); + properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER), ""); + properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER), ""); bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class)); bind(Configuration.class).toInstance(new Configuration(properties)); http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java index 6537130..7fa2386 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java @@ -40,12 +40,19 @@ public class AmbariServerSecurityHeaderFilterTest extends AbstractSecurityHeader map.put(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER, Configuration.HTTP_STRICT_TRANSPORT_HEADER_VALUE.getKey()); map.put(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER, Configuration.HTTP_X_FRAME_OPTIONS_HEADER_VALUE.getKey()); map.put(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, Configuration.HTTP_X_XSS_PROTECTION_HEADER_VALUE.getKey()); + map.put(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, Configuration.HTTP_X_CONTENT_TYPE_HEADER_VALUE.getKey()); + map.put(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, Configuration.HTTP_CACHE_CONTROL_HEADER_VALUE.getKey()); + map.put(AbstractSecurityHeaderFilter.PRAGMA_HEADER, Configuration.HTTP_PRAGMA_HEADER_VALUE.getKey()); + PROPERTY_NAME_MAP = Collections.unmodifiableMap(map); map = new HashMap<String, String>(); map.put(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER, Configuration.HTTP_STRICT_TRANSPORT_HEADER_VALUE.getDefaultValue()); map.put(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER, Configuration.HTTP_X_FRAME_OPTIONS_HEADER_VALUE.getDefaultValue()); map.put(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, Configuration.HTTP_X_XSS_PROTECTION_HEADER_VALUE.getDefaultValue()); + map.put(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, Configuration.HTTP_X_CONTENT_TYPE_HEADER_VALUE.getDefaultValue()); + map.put(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, Configuration.HTTP_CACHE_CONTROL_HEADER_VALUE.getDefaultValue()); + map.put(AbstractSecurityHeaderFilter.PRAGMA_HEADER, Configuration.HTTP_PRAGMA_HEADER_VALUE.getDefaultValue()); DEFAULT_PROPERTY_VALUE_MAP = Collections.unmodifiableMap(map); } http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java index c9d7974..d699ae0 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java @@ -41,12 +41,18 @@ public class AmbariViewsSecurityHeaderFilterTest extends AbstractSecurityHeaderF map.put(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER, Configuration.VIEWS_HTTP_STRICT_TRANSPORT_HEADER_VALUE.getKey()); map.put(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER, Configuration.VIEWS_HTTP_X_FRAME_OPTIONS_HEADER_VALUE.getKey()); map.put(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, Configuration.VIEWS_HTTP_X_XSS_PROTECTION_HEADER_VALUE.getKey()); + map.put(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, Configuration.VIEWS_HTTP_X_CONTENT_TYPE_HEADER_VALUE.getKey()); + map.put(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, Configuration.VIEWS_HTTP_CACHE_CONTROL_HEADER_VALUE.getKey()); + map.put(AbstractSecurityHeaderFilter.PRAGMA_HEADER, Configuration.VIEWS_HTTP_PRAGMA_HEADER_VALUE.getKey()); PROPERTY_NAME_MAP = Collections.unmodifiableMap(map); map = new HashMap<String, String>(); map.put(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER, Configuration.VIEWS_HTTP_STRICT_TRANSPORT_HEADER_VALUE.getDefaultValue()); map.put(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER, Configuration.VIEWS_HTTP_X_FRAME_OPTIONS_HEADER_VALUE.getDefaultValue()); map.put(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, Configuration.VIEWS_HTTP_X_XSS_PROTECTION_HEADER_VALUE.getDefaultValue()); + map.put(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, Configuration.VIEWS_HTTP_X_CONTENT_TYPE_HEADER_VALUE.getDefaultValue()); + map.put(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, Configuration.VIEWS_HTTP_CACHE_CONTROL_HEADER_VALUE.getDefaultValue()); + map.put(AbstractSecurityHeaderFilter.PRAGMA_HEADER, Configuration.VIEWS_HTTP_PRAGMA_HEADER_VALUE.getDefaultValue()); DEFAULT_PROPERTY_VALUE_MAP = Collections.unmodifiableMap(map); }