Re: Review Request 64002: SENTRY-2068: Disable HTTP TRACE method from the Sentry Web Server

Sergio Pena via Review Board Wed, 22 Nov 2017 07:20:12 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64002/
-----------------------------------------------------------


(Updated Nov. 22, 2017, 3:19 p.m.)


Review request for sentry.


Changes
-------

this 2nd patch adds tests to verify the TRACE method is disabled.


Bugs: sentry-2068
    https://issues.apache.org/jira/browse/sentry-2068


Repository: sentry


Description
-------

Disables the HTTP TRACE method by wrapping a constraint that requires 
authentication when calling such method.

See more info here:
http://www.imlc.me/why-we-need-to-disable-trace-method-and-how-to-disable-trace-in-embedded-jetty.html
https://www.owasp.org/index.php/Cross_Site_Tracing
https://reformatcode.com/code/http/java-embedded-jetty-is-accepting-http-trace-method


Diffs (updated)
-----

  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
 95b87add5814cc3c0851ca73ca6503306b840594 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
 09ee6b4493611c055dd7e96ab8a0b747fd4eb25b 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
 d1d0b4be578ca9b4148a81073a21639cd8688156 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
 4a913e5189fa0aea7fb1770eb9f3e8e991289a50 


Diff: https://reviews.apache.org/r/64002/diff/2/

Changes: https://reviews.apache.org/r/64002/diff/1-2/


Testing
-------


Thanks,

Sergio Pena

Re: Review Request 64002: SENTRY-2068: Disable HTTP TRACE method from the Sentry Web Server

Reply via email to