This is an automated email from the ASF dual-hosted git repository. mpapirkovskyy pushed a commit to branch branch-2.7 in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push: new e6b0838 AMBARI-25159. http.strict-transport-security change does not take affect in 2.7.x. (mpapirkovskyy) (#2861) e6b0838 is described below commit e6b0838ba1853152a2849be8705be1aff669349e Author: Myroslav Papirkovskyi <mpapirkovs...@apache.org> AuthorDate: Tue Mar 12 23:42:02 2019 +0200 AMBARI-25159. http.strict-transport-security change does not take affect in 2.7.x. (mpapirkovskyy) (#2861) --- .../apache/ambari/server/configuration/spring/ApiSecurityConfig.java | 3 ++- .../main/java/org/apache/ambari/server/controller/AmbariServer.java | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/spring/ApiSecurityConfig.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/spring/ApiSecurityConfig.java index c551e5e..06a0ee1 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/spring/ApiSecurityConfig.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/spring/ApiSecurityConfig.java @@ -89,7 +89,8 @@ public class ApiSecurityConfig extends WebSecurityConfigurerAdapter{ http.csrf().disable() .authorizeRequests().anyRequest().authenticated() .and() - .headers().frameOptions().disable().and() + .headers().httpStrictTransportSecurity().disable() + .frameOptions().disable().and() .exceptionHandling().authenticationEntryPoint(ambariEntryPoint) .and() .addFilterBefore(guiceBeansConfig.ambariUserAuthorizationFilter(), BasicAuthenticationFilter.class) diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java index aa2c771..530ddc3 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java @@ -670,6 +670,7 @@ public class AmbariServer { ServerConnector apiConnector; HttpConfiguration http_config = new HttpConfiguration(); + http_config.addCustomizer(new SecureRequestCustomizer()); http_config.setRequestHeaderSize(configs.getHttpRequestHeaderSize()); http_config.setResponseHeaderSize(configs.getHttpResponseHeaderSize()); http_config.setSendServerVersion(false);