[
https://issues.apache.org/jira/browse/DRILL-6466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16504517#comment-16504517
]
ASF GitHub Bot commented on DRILL-6466:
---------------------------------------
arina-ielchiieva closed pull request #1304: DRILL-6466: Add HttpOnly flag to
response cookies
URL: https://github.com/apache/drill/pull/1304
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
index 09170a6c86..098845e325 100644
---
a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
+++
b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
@@ -20,7 +20,6 @@
import com.codahale.metrics.MetricRegistry;
import com.codahale.metrics.servlets.MetricsServlet;
import com.codahale.metrics.servlets.ThreadDumpServlet;
-import com.google.common.collect.ImmutableSet;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.drill.common.config.DrillConfig;
@@ -31,7 +30,6 @@
import org.apache.drill.exec.server.BootStrapContext;
import org.apache.drill.exec.server.Drillbit;
import org.apache.drill.exec.server.rest.auth.DrillErrorHandler;
-import org.apache.drill.exec.server.rest.auth.DrillRestLoginService;
import org.apache.drill.exec.server.rest.auth.DrillHttpSecurityHandlerProvider;
import org.apache.drill.exec.ssl.SSLConfigBuilder;
import org.apache.drill.exec.work.WorkManager;
@@ -43,10 +41,7 @@
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.eclipse.jetty.http.HttpVersion;
-import org.eclipse.jetty.security.ConstraintMapping;
-import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.SecurityHandler;
-import org.eclipse.jetty.security.authentication.FormAuthenticator;
import org.eclipse.jetty.security.authentication.SessionAuthentication;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
@@ -81,13 +76,8 @@
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
-import java.util.Collections;
import java.util.Date;
import java.util.EnumSet;
-import java.util.Set;
-
-import static
org.apache.drill.exec.server.rest.auth.DrillUserPrincipal.ADMIN_ROLE;
-import static
org.apache.drill.exec.server.rest.auth.DrillUserPrincipal.AUTHENTICATED_ROLE;
/**
* Wrapper class around jetty based webserver.
@@ -96,37 +86,30 @@
private static final org.slf4j.Logger logger =
org.slf4j.LoggerFactory.getLogger(WebServer.class);
private static final int PORT_HUNT_TRIES = 100;
+ private static final String BASE_STATIC_PATH = "/rest/static/";
+ private static final String DRILL_ICON_RESOURCE_RELATIVE_PATH =
"img/drill.ico";
private final DrillConfig config;
-
private final MetricRegistry metrics;
-
private final WorkManager workManager;
-
- private final BootStrapContext context;
+ private final Drillbit drillbit;
private Server embeddedJetty;
- private final Drillbit drillbit;
-
/**
* Create Jetty based web server.
*
* @param context Bootstrap context.
* @param workManager WorkManager instance.
+ * @param drillbit Drillbit instance.
*/
public WebServer(final BootStrapContext context, final WorkManager
workManager, final Drillbit drillbit) {
- this.context = context;
this.config = context.getConfig();
this.metrics = context.getMetrics();
this.workManager = workManager;
this.drillbit = drillbit;
}
- private static final String BASE_STATIC_PATH = "/rest/static/";
-
- private static final String DRILL_ICON_RESOURCE_RELATIVE_PATH =
"img/drill.ico";
-
/**
* Checks if only impersonation is enabled.
*
@@ -140,7 +123,6 @@ public static boolean
isImpersonationOnlyEnabled(DrillConfig config) {
/**
* Start the web server including setup.
- * @throws Exception
*/
@SuppressWarnings("resource")
public void start() throws Exception {
@@ -175,7 +157,6 @@ public void start() throws Exception {
} catch (BindException e) {
if (portHunt) {
logger.info("Failed to start on port {}, trying port {}", port,
++port, e);
- continue;
} else {
throw e;
}
@@ -250,6 +231,8 @@ private ServletContextHandler
createServletContextHandler(final boolean authEnab
private SessionHandler createSessionHandler(final SecurityHandler
securityHandler) {
SessionManager sessionManager = new HashSessionManager();
sessionManager.setMaxInactiveInterval(config.getInt(ExecConstants.HTTP_SESSION_MAX_IDLE_SECS));
+ // response cookie will be returned with HttpOnly flag
+ sessionManager.getSessionCookieConfig().setHttpOnly(true);
sessionManager.addEventListener(new HttpSessionListener() {
@Override
public void sessionCreated(HttpSessionEvent se) {
@@ -285,21 +268,6 @@ public void sessionDestroyed(HttpSessionEvent se) {
return new SessionHandler(sessionManager);
}
- /**
- * @return {@link SecurityHandler} with appropriate {@link LoginService},
{@link Authenticator} and constraints.
- */
- private ConstraintSecurityHandler createSecurityHandler() {
- ConstraintSecurityHandler security = new ConstraintSecurityHandler();
-
- Set<String> knownRoles = ImmutableSet.of(AUTHENTICATED_ROLE, ADMIN_ROLE);
- security.setConstraintMappings(Collections.<ConstraintMapping>emptyList(),
knownRoles);
-
- security.setAuthenticator(new FormAuthenticator("/login", "/login", true));
- security.setLoginService(new
DrillRestLoginService(workManager.getContext()));
-
- return security;
- }
-
public int getPort() {
if (!isRunning()) {
throw new UnsupportedOperationException("Http is not enabled");
@@ -331,7 +299,6 @@ private ServerConnector createConnector(int port, int
acceptors, int selectors)
* they will be used else a self-signed certificate is generated and used.
*
* @return Initialized {@link ServerConnector} for HTTPS connections.
- * @throws Exception
*/
private ServerConnector createHttpsConnector(int port, int acceptors, int
selectors) throws Exception {
logger.info("Setting up HTTPS connector for web server");
@@ -425,9 +392,8 @@ private ServerConnector createHttpsConnector(int port, int
acceptors, int select
* Create HTTP connector.
*
* @return Initialized {@link ServerConnector} instance for HTTP connections.
- * @throws Exception
*/
- private ServerConnector createHttpConnector(int port, int acceptors, int
selectors) throws Exception {
+ private ServerConnector createHttpConnector(int port, int acceptors, int
selectors) {
logger.info("Setting up HTTP connector for web server");
final HttpConfiguration httpConfig = new HttpConfiguration();
final ServerConnector httpConnector =
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Add HttpOnly flag for response cookie
> -------------------------------------
>
> Key: DRILL-6466
> URL: https://issues.apache.org/jira/browse/DRILL-6466
> Project: Apache Drill
> Issue Type: Improvement
> Components: Web Server
> Affects Versions: 1.13.0
> Reporter: Arina Ielchiieva
> Assignee: Arina Ielchiieva
> Priority: Minor
> Labels: ready-to-commit
> Fix For: 1.14.0
>
> Attachments: httpOnly.JPG
>
>
> Add HttpOnly flag to response cookies.
> {quote}
> When you tag a cookie with the HttpOnly flag, it tells the browser that this
> particular cookie should only be accessed by the server. Any attempt to
> access the cookie from client script is strictly forbidden. HttpOnly cookies
> make huge classes of common XSS attacks much harder to pull off.
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
