[
https://issues.apache.org/jira/browse/HDFS-9711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15144513#comment-15144513
]
Larry McCay commented on HDFS-9711:
-----------------------------------
I am much more inclined to try and make v004 work than go back to v003.
What do you think about going with option #2 and also pulling the
handleHttpInteraction out into a CsrfUtils class.
This makes it less odd that it is all encapsulated in the same impl and a
little more clear that the handler is used by multiple classes.
Perhaps CsrfUtils.handleRestHttpInteraction(HttpInteraction interation) with
the anticipation that a Csrf.handleWebAppHttpInteraction(HttpInteraction
interation)?
The webapp one would have to be able to compare a session value of the header
to the actual value sent by the client - which would be a new constructor
argument on ServletFilterHttpInteraction/NettyHttpInteraction.
We could also just overload the method with the additional parameter of the
value to check against and leave it as handleHttpInteraction(HttpInteraction
interation, String nonce)
Anyway, I think that some simple separation with a Utils class would help make
it more readable as well.
> Integrate CSRF prevention filter in WebHDFS.
> --------------------------------------------
>
> Key: HDFS-9711
> URL: https://issues.apache.org/jira/browse/HDFS-9711
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: datanode, namenode, webhdfs
> Reporter: Chris Nauroth
> Assignee: Chris Nauroth
> Attachments: HDFS-9711.001.patch, HDFS-9711.002.patch,
> HDFS-9711.003.patch, HDFS-9711.004.patch
>
>
> HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard
> against cross-site request forgery attacks. This issue tracks integration of
> that filter in WebHDFS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
