[ https://issues.apache.org/jira/browse/SPARK-24522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16719565#comment-16719565 ]
ASF GitHub Bot commented on SPARK-24522: ---------------------------------------- vanzin opened a new pull request #23302: [SPARK-24522][UI] Create filter to apply HTTP security checks consistently. URL: https://github.com/apache/spark/pull/23302 Currently there is code scattered in a bunch of places to do different things related to HTTP security, such as access control, setting security-related headers, and filtering out bad content. This makes it really easy to miss these things when writing new UI code. This change creates a new filter that does all of those things, and makes sure that all servlet handlers that are attached to the UI get the new filter and any user-defined filters consistently. The extent of the actual features should be the same as before. The new filter is added at the end of the filter chain, because authentication is done by custom filters and thus needs to happen first. This means that custom filters see unfiltered HTTP requests - which is actually the current behavior anyway. As a side-effect of some of the code refactoring, handlers added after the initial set also get wrapped with a GzipHandler, which didn't happen before. Tested with added unit tests and in a history server with SPNEGO auth configured. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Centralize code to deal with security-related HTTP features > ----------------------------------------------------------- > > Key: SPARK-24522 > URL: https://issues.apache.org/jira/browse/SPARK-24522 > Project: Spark > Issue Type: Improvement > Components: Web UI > Affects Versions: 2.4.0 > Reporter: Marcelo Vanzin > Priority: Major > > Currently there's code scattered in a few places to deal with different > HTTP-related security features, such as XSS protection. > The current approach makes it hard to verify that these are applied uniformly > across all of Spark. > We should centralize this code and enforce that it's applied to all UI > handlers. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org