Repository: zeppelin Updated Branches: refs/heads/branch-0.7 b2164e9fd -> 55a2bbbc3
ZEPPELIN-2873 - Add documentation on secure cookie in Shiro ### What is this PR for? Adding a section in Shiro Authentication about how to enable secure cookie via Shiro. Shiro do support configuring 'HttpOnly' flag in response cookie. A Zeppelin user, who is security conscious, should know how to enable this in Zeppelin's Shiro configuration. ### What type of PR is it? Documentation ### What is the Jira issue? ZEPPELIN-2873 ### How should this be tested? Doc changes. CI test should pass. ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? No Author: Vipin Rathor <v.rat...@gmail.com> Closes #2545 from VipinRathor/ZEPPELIN-2873 and squashes the following commits: c7b7995 [Vipin Rathor] Updated doc as per the review comments. fec8d7e [Vipin Rathor] ZEPPELIN-2873 - Add documentation on Zeppelin Shiro's abliity to configure secure cookie (cherry picked from commit 79d139a494a969d766e812976c49841b3d21fe71) Signed-off-by: Lee moon soo <m...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/55a2bbbc Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/55a2bbbc Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/55a2bbbc Branch: refs/heads/branch-0.7 Commit: 55a2bbbc3f454412a31a709ceaba9efa8f5d4eee Parents: b2164e9 Author: Vipin Rathor <v.rat...@gmail.com> Authored: Tue Aug 22 13:20:47 2017 -0700 Committer: Lee moon soo <m...@apache.org> Committed: Wed Aug 23 23:10:39 2017 -0700 ---------------------------------------------------------------------- docs/security/shiroauthentication.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zeppelin/blob/55a2bbbc/docs/security/shiroauthentication.md ---------------------------------------------------------------------- diff --git a/docs/security/shiroauthentication.md b/docs/security/shiroauthentication.md index e608a14..75a52e1 100644 --- a/docs/security/shiroauthentication.md +++ b/docs/security/shiroauthentication.md @@ -209,6 +209,21 @@ securityManager.realms = $zeppelinHubRealm > Note: ZeppelinHub is not releated to Apache Zeppelin project. +## Secure Cookie for Zeppelin Sessions (optional) +Zeppelin can be configured to set `HttpOnly` flag in the session cookie. With this configuration, Zeppelin cookies can +not be accessed via client side scripts thus preventing majority of Cross-site scripting (XSS) attacks. + +To enable secure cookie support via Shiro, add the following lines in `conf/shiro.ini` under `[main]` section, after +defining a `sessionManager`. + +``` +cookie = org.apache.shiro.web.servlet.SimpleCookie +cookie.name = JSESSIONID +cookie.secure = true +cookie.httpOnly = true +sessionManager.sessionIdCookie = $cookie +``` + ## Secure your Zeppelin information (optional) By default, anyone who defined in `[users]` can share **Interpreter Setting**, **Credential** and **Configuration** information in Apache Zeppelin. Sometimes you might want to hide these information for your use case.