[ https://issues.apache.org/jira/browse/HDFS-9711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15144513#comment-15144513 ]
Larry McCay commented on HDFS-9711: ----------------------------------- I am much more inclined to try and make v004 work than go back to v003. What do you think about going with option #2 and also pulling the handleHttpInteraction out into a CsrfUtils class. This makes it less odd that it is all encapsulated in the same impl and a little more clear that the handler is used by multiple classes. Perhaps CsrfUtils.handleRestHttpInteraction(HttpInteraction interation) with the anticipation that a Csrf.handleWebAppHttpInteraction(HttpInteraction interation)? The webapp one would have to be able to compare a session value of the header to the actual value sent by the client - which would be a new constructor argument on ServletFilterHttpInteraction/NettyHttpInteraction. We could also just overload the method with the additional parameter of the value to check against and leave it as handleHttpInteraction(HttpInteraction interation, String nonce) Anyway, I think that some simple separation with a Utils class would help make it more readable as well. > Integrate CSRF prevention filter in WebHDFS. > -------------------------------------------- > > Key: HDFS-9711 > URL: https://issues.apache.org/jira/browse/HDFS-9711 > Project: Hadoop HDFS > Issue Type: New Feature > Components: datanode, namenode, webhdfs > Reporter: Chris Nauroth > Assignee: Chris Nauroth > Attachments: HDFS-9711.001.patch, HDFS-9711.002.patch, > HDFS-9711.003.patch, HDFS-9711.004.patch > > > HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard > against cross-site request forgery attacks. This issue tracks integration of > that filter in WebHDFS. -- This message was sent by Atlassian JIRA (v6.3.4#6332)