This is an automated email from the ASF dual-hosted git repository.
esteban pushed a commit to branch revert-2348-HBASE-19352
in repository https://gitbox.apache.org/repos/asf/hbase.git
commit 1c1a7be1a63525468a20180a0bb554abb0c8be3f
Author: Esteban Gutierrez <esteban...@gmail.com>
AuthorDate: Thu Sep 3 13:38:45 2020 -0500
Revert " HBASE-19352 Port HADOOP-10379: Protect authentication cookies
with the HttpOnly and Secure flags (#2348)"
This reverts commit 19b8a2a64a63e9e546af3497871b5346ea5b6b5b.
---
.../org/apache/hadoop/hbase/http/HttpServer.java | 2 -
.../hadoop/hbase/http/TestHttpCookieFlag.java | 191 ---------------------
2 files changed, 193 deletions(-)
diff --git
a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
index 8a47ca9..50a6fe5 100644
--- a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
+++ b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
@@ -857,8 +857,6 @@ public class HttpServer implements FilterContainer {
fmap.setFilterName(AdminAuthorizedFilter.class.getSimpleName());
webAppContext.getServletHandler().addFilter(filter, fmap);
}
-
webAppContext.getSessionHandler().getSessionCookieConfig().setHttpOnly(true);
- webAppContext.getSessionHandler().getSessionCookieConfig().setSecure(true);
webAppContext.addServlet(holder, pathSpec);
}
diff --git
a/hbase-http/src/test/java/org/apache/hadoop/hbase/http/TestHttpCookieFlag.java
b/hbase-http/src/test/java/org/apache/hadoop/hbase/http/TestHttpCookieFlag.java
deleted file mode 100644
index d373d60..0000000
---
a/hbase-http/src/test/java/org/apache/hadoop/hbase/http/TestHttpCookieFlag.java
+++ /dev/null
@@ -1,191 +0,0 @@
-/**
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License. See accompanying LICENSE file.
- */
-package org.apache.hadoop.hbase.http;
-
-import java.util.List;
-import java.io.File;
-import java.io.IOException;
-import java.net.HttpURLConnection;
-import java.net.HttpCookie;
-import java.net.URI;
-import java.net.URL;
-import javax.net.ssl.HttpsURLConnection;
-import javax.servlet.Filter;
-import javax.servlet.FilterConfig;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletResponse;
-import java.security.GeneralSecurityException;
-import org.apache.hadoop.hbase.HBaseClassTestRule;
-import org.apache.hadoop.hbase.testclassification.MiscTests;
-import org.apache.hadoop.hbase.testclassification.SmallTests;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.FileUtil;
-import org.apache.hadoop.net.NetUtils;
-import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
-import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
-import org.apache.hadoop.security.ssl.SSLFactory;
-
-import org.junit.Assert;
-import org.junit.AfterClass;
-import org.junit.BeforeClass;
-import org.junit.ClassRule;
-import org.junit.Test;
-import org.junit.experimental.categories.Category;
-
-@Category({ MiscTests.class, SmallTests.class})
-public class TestHttpCookieFlag {
- @ClassRule
- public static final HBaseClassTestRule CLASS_RULE =
- HBaseClassTestRule.forClass(TestHttpCookieFlag.class);
-
- private static final String BASEDIR = System.getProperty("test.build.dir",
- "target/test-dir") + "/" +
- org.apache.hadoop.hbase.http.TestHttpCookieFlag.class.getSimpleName();
- private static String keystoresDir;
- private static String sslConfDir;
- private static SSLFactory clientSslFactory;
- private static HttpServer server;
-
- public static class DummyAuthenticationFilter implements Filter {
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
- }
-
- @Override
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException,
- ServletException {
- HttpServletResponse resp = (HttpServletResponse) response;
- boolean isHttps = "https".equals(request.getScheme());
- AuthenticationFilter.createAuthCookie(resp, "token", null, null, -1,
- true, isHttps);
- chain.doFilter(request, resp);
- }
-
- @Override
- public void destroy() {
- }
- }
- public static class DummyFilterInitializer extends FilterInitializer {
- @Override
- public void initFilter(FilterContainer container, Configuration conf) {
- container.addFilter("DummyAuth", DummyAuthenticationFilter.class
- .getName(), null);
- }
- }
-
- @BeforeClass
- public static void setUp() throws Exception {
- Configuration conf = new Configuration();
- conf.set(HttpServer.FILTER_INITIALIZERS_PROPERTY,
- DummyFilterInitializer.class.getName());
- conf.setInt("hbase.http.max.threads", 19); /* acceptors=2 + selectors=16 +
request=1 */
- System.setProperty("hadoop.log.dir", BASEDIR); /* needed for /logs */
-
- File base = new File(BASEDIR);
- FileUtil.fullyDelete(base);
- base.mkdirs();
- keystoresDir = new File(BASEDIR).getAbsolutePath();
- sslConfDir = KeyStoreTestUtil.getClasspathDir(TestSSLHttpServer.class);
-
- KeyStoreTestUtil.setupSSLConfig(keystoresDir, sslConfDir, conf, false);
- Configuration sslConf = KeyStoreTestUtil.getSslConfig();
-
- clientSslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, sslConf);
- clientSslFactory.init();
-
- server = new HttpServer.Builder()
- .setName("test")
- .addEndpoint(new URI("http://localhost";))
- .addEndpoint(new URI("https://localhost";))
- .setConf(conf)
- .keyPassword(sslConf.get("ssl.server.keystore.keypassword"))
- .keyStore(sslConf.get("ssl.server.keystore.location"),
- sslConf.get("ssl.server.keystore.password"),
- sslConf.get("ssl.server.keystore.type", "jks"))
- .trustStore(sslConf.get("ssl.server.truststore.location"),
- sslConf.get("ssl.server.truststore.password"),
- sslConf.get("ssl.server.truststore.type", "jks"))
- .build();
- server.addPrivilegedServlet("echo", "/echo",
TestHttpServer.EchoServlet.class);
- server.start();
- }
-
- @Test
- public void testHttpCookie() throws IOException {
- URL base = new URL("http://"; + NetUtils.getHostPortString(server
- .getConnectorAddress(0)));
- HttpURLConnection conn = (HttpURLConnection) new URL(base,
- "/echo").openConnection();
-
- String header = conn.getHeaderField("Set-Cookie");
- Assert.assertTrue(header != null);
- List<HttpCookie> cookies = HttpCookie.parse(header);
- Assert.assertTrue(!cookies.isEmpty());
- Assert.assertTrue(header.contains("; HttpOnly"));
- Assert.assertTrue("token".equals(cookies.get(0).getValue()));
- }
-
- @Test
- public void testHttpsCookie() throws IOException, GeneralSecurityException {
- URL base = new URL("https://"; + NetUtils.getHostPortString(server
- .getConnectorAddress(1)));
- HttpsURLConnection conn = (HttpsURLConnection) new URL(base,
- "/echo").openConnection();
- conn.setSSLSocketFactory(clientSslFactory.createSSLSocketFactory());
-
- String header = conn.getHeaderField("Set-Cookie");
- Assert.assertTrue(header != null);
-
- List<HttpCookie> cookies = HttpCookie.parse(header);
- Assert.assertTrue(!cookies.isEmpty());
- Assert.assertTrue(header.contains("; HttpOnly"));
- Assert.assertTrue(cookies.get(0).getSecure());
- Assert.assertTrue("token".equals(cookies.get(0).getValue()));
- }
-
- @Test
- public void testHttpsCookieDefaultServlets() throws Exception {
- HttpsURLConnection conn = null;
-
- URL base = new URL("https://"; + NetUtils.getHostPortString(server
- .getConnectorAddress(1)) + "/");
-
- for (String servlet : new String[] { "static", "stacks", "logLevel",
"jmx", "logs" }) {
- conn = (HttpsURLConnection) new URL(base,
- "/" + servlet).openConnection();
- conn.setSSLSocketFactory(clientSslFactory.createSSLSocketFactory());
-
- String header = conn.getHeaderField("Set-Cookie");
- Assert.assertTrue(header != null);
- List<HttpCookie> cookies = HttpCookie.parse(header);
- Assert.assertTrue(!cookies.isEmpty());
- Assert.assertTrue(header.contains("; HttpOnly"));
- Assert.assertTrue(cookies.get(0).getSecure());
- Assert.assertTrue("token".equals(cookies.get(0).getValue()));
- }
- }
-
- @AfterClass
- public static void cleanup() throws Exception {
- server.stop();
- FileUtil.fullyDelete(new File(BASEDIR));
- KeyStoreTestUtil.cleanupSSLConfig(keystoresDir, sslConfDir);
- clientSslFactory.destroy();
- }
-}
