Repository: zeppelin Updated Branches: refs/heads/master 30bfcae0c -> 79d139a49
ZEPPELIN-2873 - Add documentation on secure cookie in Shiro ### What is this PR for? Adding a section in Shiro Authentication about how to enable secure cookie via Shiro. Shiro do support configuring 'HttpOnly' flag in response cookie. A Zeppelin user, who is security conscious, should know how to enable this in Zeppelin's Shiro configuration. ### What type of PR is it? Documentation ### What is the Jira issue? ZEPPELIN-2873 ### How should this be tested? Doc changes. CI test should pass. ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? No Author: Vipin Rathor <v.rat...@gmail.com> Closes #2545 from VipinRathor/ZEPPELIN-2873 and squashes the following commits: c7b7995 [Vipin Rathor] Updated doc as per the review comments. fec8d7e [Vipin Rathor] ZEPPELIN-2873 - Add documentation on Zeppelin Shiro's abliity to configure secure cookie Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/79d139a4 Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/79d139a4 Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/79d139a4 Branch: refs/heads/master Commit: 79d139a494a969d766e812976c49841b3d21fe71 Parents: 30bfcae Author: Vipin Rathor <v.rat...@gmail.com> Authored: Tue Aug 22 13:20:47 2017 -0700 Committer: Lee moon soo <m...@apache.org> Committed: Wed Aug 23 23:10:29 2017 -0700 ---------------------------------------------------------------------- docs/setup/security/shiro_authentication.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zeppelin/blob/79d139a4/docs/setup/security/shiro_authentication.md ---------------------------------------------------------------------- diff --git a/docs/setup/security/shiro_authentication.md b/docs/setup/security/shiro_authentication.md index 0dcb722..33b67d0 100644 --- a/docs/setup/security/shiro_authentication.md +++ b/docs/setup/security/shiro_authentication.md @@ -210,6 +210,21 @@ securityManager.realms = $zeppelinHubRealm > Note: ZeppelinHub is not releated to Apache Zeppelin project. +## Secure Cookie for Zeppelin Sessions (optional) +Zeppelin can be configured to set `HttpOnly` flag in the session cookie. With this configuration, Zeppelin cookies can +not be accessed via client side scripts thus preventing majority of Cross-site scripting (XSS) attacks. + +To enable secure cookie support via Shiro, add the following lines in `conf/shiro.ini` under `[main]` section, after +defining a `sessionManager`. + +``` +cookie = org.apache.shiro.web.servlet.SimpleCookie +cookie.name = JSESSIONID +cookie.secure = true +cookie.httpOnly = true +sessionManager.sessionIdCookie = $cookie +``` + ## Secure your Zeppelin information (optional) By default, anyone who defined in `[users]` can share **Interpreter Setting**, **Credential** and **Configuration** information in Apache Zeppelin. Sometimes you might want to hide these information for your use case.
