Re: Review Request 39251: Security-related HTTP headers should be set separately for Ambari Views then for Ambari server UI

Jonathan Hurley Tue, 13 Oct 2015 12:42:15 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39251/#review102514
-----------------------------------------------------------


Ship it!



ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java
 (line 35)
<https://reviews.apache.org/r/39251/#comment160195>

    Documentation.


- Jonathan Hurley


On Oct. 13, 2015, noon, Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/39251/
> -----------------------------------------------------------
> 
> (Updated Oct. 13, 2015, noon)
> 
> 
> Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Sumit 
> Mohanty, and Sid Wagle.
> 
> 
> Bugs: ABMARI-13351
>     https://issues.apache.org/jira/browse/ABMARI-13351
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> The security-related HTTP headers should be set separately for the Ambari 
> Views then for the Ambari server UI. This is because they have different 
> requirements.  For example the Ambari server UI should not be allowed to 
> execute in an iframe (by default) where Ambari View must be able to execute 
> in an iframe invoked from the same origin.
> 
> The relevant headers are:
> - Strict-Transport-Security
> - X-Frame-Options
> - X-XSS-Protection
> 
> These headers should be configurable via the ambari.properties such that they 
> may be turned on or off - and set to some custom value.
> 
> The default value for this headers should be as follows:
> - Strict-Transport-Security: max-age=31536000
> - X-Frame-Options: SAMEORIGIN
> - X-XSS-Protection: 1; mode=block
> 
> Strict-Transport-Security should only be turned on if SSL is enabled.
> 
> The relevant Ambari properties should be:
> - Strict-Transport-Security: views.http.strict-transport-security
> - X-Frame-Options: views.http.x-frame-options
> - X-XSS-Protection: views.http.x-xss-protection
> 
> By setting any of these to be empty, the header is to be turned off (or not 
> set).
> 
> For example:
> #Sets Strict-Transport-Security to a custom value
> ```
> views.http.strict-transport-security=max-age=31536000; includeSubDomains
> ```
> 
> #Turns Strict-Transport-Security off
> ```
> views.http.strict-transport-security=
> ```
> 
> 
> Diffs
> -----
> 
>   ambari-server/conf/unix/ambari.properties 68cbf65 
>   ambari-server/conf/windows/ambari.properties 6a98a63 
>   
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
>  c653e1b 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java
>  1265b6a 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
>  5974494 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java
>  PRE-CREATION 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java
>  a7479af 
>   
> ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java
>  a0cb8d0 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java
>  PRE-CREATION 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java
>  5e8d2af 
> 
> Diff: https://reviews.apache.org/r/39251/diff/
> 
> 
> Testing
> -------
> 
> Manually tested
> 
> # Local test results: PASSED
> 
> # Jenkins test result: 
> 
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] Total time: 01:37 h
> [INFO] Finished at: 2015-10-13T15:58:17+00:00
> [INFO] Final Memory: 47M/561M
> [INFO] 
> ------------------------------------------------------------------------
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 39251: Security-related HTTP headers should be set separately for Ambari Views then for Ambari server UI

Reply via email to