[ https://issues.apache.org/jira/browse/HADOOP-10710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14037913#comment-14037913 ]
Alejandro Abdelnur commented on HADOOP-10710: --------------------------------------------- OK, got it. Now looking at how the cookie is created, it seems it could be done simpler: {code} public static void createAuthCookie(HttpServletResponse resp, String token, String domain, String path, long expires, boolean isSecure) { if (token != null) { HttpCookie cookie = new HttpCookie(AuthenticatedURL.AUTH_COOKIE, token); cookie.setPath(path); cookie.setMaxAge(expires); cookie.setDomain(domain); cookie.setSecure(isSecure); cookie.setHttpOnly(true); resp.addHeader("Set-Cookie", cookie.toString()); } } {code} Can you give it a try that way? > hadoop.auth cookie is not properly constructed according to RFC2109 > ------------------------------------------------------------------- > > Key: HADOOP-10710 > URL: https://issues.apache.org/jira/browse/HADOOP-10710 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.4.0 > Reporter: Alejandro Abdelnur > Assignee: Juan Yu > Attachments: HADOOP-10710.001.patch, HADOOP-10710.002.patch > > > It seems that HADOOP-10379 introduced a bug on how hadoop.auth cookies are > being constructed. > Before HADOOP-10379, cookies were constructed using Servlet's {{Cookie}} > class and corresponding {{HttpServletResponse}} methods. This was taking care > of setting attributes like 'Version=1' and double-quoting the cookie value if > necessary. > HADOOP-10379 changed the Cookie creation to use a {{StringBuillder}} and > setting values and attributes by hand. This is not taking care of setting > required attributes like Version and escaping the cookie value. > While this is not breaking HadoopAuth {{AuthenticatedURL}} access, it is > breaking access done using {{HtttpClient}}. I.e. Solr uses HttpClient and its > access is broken since this change. > It seems that HADOOP-10379 main objective was to set the 'secure' attribute. > Note this can be done using the {{Cookie}} API. > We should revert the cookie creation logic to use the {{Cookie}} API and take > care of the security flag via {{setSecure(boolean)}}. -- This message was sent by Atlassian JIRA (v6.2#6252)