[
https://issues.apache.org/jira/browse/SPARK-24522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16719565#comment-16719565
]
ASF GitHub Bot commented on SPARK-24522:
----------------------------------------
vanzin opened a new pull request #23302: [SPARK-24522][UI] Create filter to
apply HTTP security checks consistently.
URL: https://github.com/apache/spark/pull/23302
Currently there is code scattered in a bunch of places to do different
things related to HTTP security, such as access control, setting
security-related headers, and filtering out bad content. This makes it
really easy to miss these things when writing new UI code.
This change creates a new filter that does all of those things, and
makes sure that all servlet handlers that are attached to the UI get
the new filter and any user-defined filters consistently. The extent
of the actual features should be the same as before.
The new filter is added at the end of the filter chain, because
authentication
is done by custom filters and thus needs to happen first. This means that
custom filters see unfiltered HTTP requests - which is actually the current
behavior anyway.
As a side-effect of some of the code refactoring, handlers added after
the initial set also get wrapped with a GzipHandler, which didn't happen
before.
Tested with added unit tests and in a history server with SPNEGO auth
configured.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Centralize code to deal with security-related HTTP features
> -----------------------------------------------------------
>
> Key: SPARK-24522
> URL: https://issues.apache.org/jira/browse/SPARK-24522
> Project: Spark
> Issue Type: Improvement
> Components: Web UI
> Affects Versions: 2.4.0
> Reporter: Marcelo Vanzin
> Priority: Major
>
> Currently there's code scattered in a few places to deal with different
> HTTP-related security features, such as XSS protection.
> The current approach makes it hard to verify that these are applied uniformly
> across all of Spark.
> We should centralize this code and enforce that it's applied to all UI
> handlers.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
