[ https://issues.apache.org/jira/browse/DRILL-6466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16504517#comment-16504517 ]
ASF GitHub Bot commented on DRILL-6466: --------------------------------------- arina-ielchiieva closed pull request #1304: DRILL-6466: Add HttpOnly flag to response cookies URL: https://github.com/apache/drill/pull/1304 This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java index 09170a6c86..098845e325 100644 --- a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java +++ b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java @@ -20,7 +20,6 @@ import com.codahale.metrics.MetricRegistry; import com.codahale.metrics.servlets.MetricsServlet; import com.codahale.metrics.servlets.ThreadDumpServlet; -import com.google.common.collect.ImmutableSet; import org.apache.commons.lang3.RandomStringUtils; import org.apache.commons.lang3.StringUtils; import org.apache.drill.common.config.DrillConfig; @@ -31,7 +30,6 @@ import org.apache.drill.exec.server.BootStrapContext; import org.apache.drill.exec.server.Drillbit; import org.apache.drill.exec.server.rest.auth.DrillErrorHandler; -import org.apache.drill.exec.server.rest.auth.DrillRestLoginService; import org.apache.drill.exec.server.rest.auth.DrillHttpSecurityHandlerProvider; import org.apache.drill.exec.ssl.SSLConfigBuilder; import org.apache.drill.exec.work.WorkManager; @@ -43,10 +41,7 @@ import org.bouncycastle.operator.ContentSigner; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; import org.eclipse.jetty.http.HttpVersion; -import org.eclipse.jetty.security.ConstraintMapping; -import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.security.SecurityHandler; -import org.eclipse.jetty.security.authentication.FormAuthenticator; import org.eclipse.jetty.security.authentication.SessionAuthentication; import org.eclipse.jetty.server.HttpConfiguration; import org.eclipse.jetty.server.HttpConnectionFactory; @@ -81,13 +76,8 @@ import java.security.KeyStore; import java.security.SecureRandom; import java.security.cert.X509Certificate; -import java.util.Collections; import java.util.Date; import java.util.EnumSet; -import java.util.Set; - -import static org.apache.drill.exec.server.rest.auth.DrillUserPrincipal.ADMIN_ROLE; -import static org.apache.drill.exec.server.rest.auth.DrillUserPrincipal.AUTHENTICATED_ROLE; /** * Wrapper class around jetty based webserver. @@ -96,37 +86,30 @@ private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(WebServer.class); private static final int PORT_HUNT_TRIES = 100; + private static final String BASE_STATIC_PATH = "/rest/static/"; + private static final String DRILL_ICON_RESOURCE_RELATIVE_PATH = "img/drill.ico"; private final DrillConfig config; - private final MetricRegistry metrics; - private final WorkManager workManager; - - private final BootStrapContext context; + private final Drillbit drillbit; private Server embeddedJetty; - private final Drillbit drillbit; - /** * Create Jetty based web server. * * @param context Bootstrap context. * @param workManager WorkManager instance. + * @param drillbit Drillbit instance. */ public WebServer(final BootStrapContext context, final WorkManager workManager, final Drillbit drillbit) { - this.context = context; this.config = context.getConfig(); this.metrics = context.getMetrics(); this.workManager = workManager; this.drillbit = drillbit; } - private static final String BASE_STATIC_PATH = "/rest/static/"; - - private static final String DRILL_ICON_RESOURCE_RELATIVE_PATH = "img/drill.ico"; - /** * Checks if only impersonation is enabled. * @@ -140,7 +123,6 @@ public static boolean isImpersonationOnlyEnabled(DrillConfig config) { /** * Start the web server including setup. - * @throws Exception */ @SuppressWarnings("resource") public void start() throws Exception { @@ -175,7 +157,6 @@ public void start() throws Exception { } catch (BindException e) { if (portHunt) { logger.info("Failed to start on port {}, trying port {}", port, ++port, e); - continue; } else { throw e; } @@ -250,6 +231,8 @@ private ServletContextHandler createServletContextHandler(final boolean authEnab private SessionHandler createSessionHandler(final SecurityHandler securityHandler) { SessionManager sessionManager = new HashSessionManager(); sessionManager.setMaxInactiveInterval(config.getInt(ExecConstants.HTTP_SESSION_MAX_IDLE_SECS)); + // response cookie will be returned with HttpOnly flag + sessionManager.getSessionCookieConfig().setHttpOnly(true); sessionManager.addEventListener(new HttpSessionListener() { @Override public void sessionCreated(HttpSessionEvent se) { @@ -285,21 +268,6 @@ public void sessionDestroyed(HttpSessionEvent se) { return new SessionHandler(sessionManager); } - /** - * @return {@link SecurityHandler} with appropriate {@link LoginService}, {@link Authenticator} and constraints. - */ - private ConstraintSecurityHandler createSecurityHandler() { - ConstraintSecurityHandler security = new ConstraintSecurityHandler(); - - Set<String> knownRoles = ImmutableSet.of(AUTHENTICATED_ROLE, ADMIN_ROLE); - security.setConstraintMappings(Collections.<ConstraintMapping>emptyList(), knownRoles); - - security.setAuthenticator(new FormAuthenticator("/login", "/login", true)); - security.setLoginService(new DrillRestLoginService(workManager.getContext())); - - return security; - } - public int getPort() { if (!isRunning()) { throw new UnsupportedOperationException("Http is not enabled"); @@ -331,7 +299,6 @@ private ServerConnector createConnector(int port, int acceptors, int selectors) * they will be used else a self-signed certificate is generated and used. * * @return Initialized {@link ServerConnector} for HTTPS connections. - * @throws Exception */ private ServerConnector createHttpsConnector(int port, int acceptors, int selectors) throws Exception { logger.info("Setting up HTTPS connector for web server"); @@ -425,9 +392,8 @@ private ServerConnector createHttpsConnector(int port, int acceptors, int select * Create HTTP connector. * * @return Initialized {@link ServerConnector} instance for HTTP connections. - * @throws Exception */ - private ServerConnector createHttpConnector(int port, int acceptors, int selectors) throws Exception { + private ServerConnector createHttpConnector(int port, int acceptors, int selectors) { logger.info("Setting up HTTP connector for web server"); final HttpConfiguration httpConfig = new HttpConfiguration(); final ServerConnector httpConnector = ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Add HttpOnly flag for response cookie > ------------------------------------- > > Key: DRILL-6466 > URL: https://issues.apache.org/jira/browse/DRILL-6466 > Project: Apache Drill > Issue Type: Improvement > Components: Web Server > Affects Versions: 1.13.0 > Reporter: Arina Ielchiieva > Assignee: Arina Ielchiieva > Priority: Minor > Labels: ready-to-commit > Fix For: 1.14.0 > > Attachments: httpOnly.JPG > > > Add HttpOnly flag to response cookies. > {quote} > When you tag a cookie with the HttpOnly flag, it tells the browser that this > particular cookie should only be accessed by the server. Any attempt to > access the cookie from client script is strictly forbidden. HttpOnly cookies > make huge classes of common XSS attacks much harder to pull off. > {quote} -- This message was sent by Atlassian JIRA (v7.6.3#76005)