Updated Branches: refs/heads/trunk a4bd8e367 -> 2dc3e3e91
AMBARI-3766. Make backend changes for CSRF prevention. (mpapirkovskyy) Project: http://git-wip-us.apache.org/repos/asf/incubator-ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ambari/commit/2dc3e3e9 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ambari/tree/2dc3e3e9 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ambari/diff/2dc3e3e9 Branch: refs/heads/trunk Commit: 2dc3e3e91dcb3ceb44130f8eb6a97915038ff222 Parents: a4bd8e3 Author: Myroslav Papirkovskyy <mpapyrkovs...@hortonworks.com> Authored: Thu Nov 14 18:26:57 2013 +0200 Committer: Myroslav Papirkovskyy <mpapyrkovs...@hortonworks.com> Committed: Thu Nov 14 20:42:24 2013 +0200 ---------------------------------------------------------------------- .../ambari/server/configuration/Configuration.java | 11 +++++++++++ .../apache/ambari/server/controller/AmbariServer.java | 6 ++++-- 2 files changed, 15 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/2dc3e3e9/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index cf749a9..027f585 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -57,6 +57,7 @@ public class Configuration { public static final String BOOTSTRAP_MASTER_HOSTNAME = "bootstrap.master_host_name"; public static final String API_AUTHENTICATE = "api.authenticate"; public static final String API_USE_SSL = "api.ssl"; + public static final String API_CSRF_PREVENTION_KEY = "api.csrfPrevention.enabled"; public static final String SRVR_TWO_WAY_SSL_KEY = "security.server.two_way_ssl"; public static final String SRVR_TWO_WAY_SSL_PORT_KEY = "security.server.two_way_ssl.port"; public static final String SRVR_ONE_WAY_SSL_PORT_KEY = "security.server.one_way_ssl.port"; @@ -198,6 +199,8 @@ public class Configuration { public static final String CLIENT_API_SSL_KEY_NAME_DEFAULT = "https.key"; public static final String CLIENT_API_SSL_CRT_NAME_DEFAULT = "https.crt"; + private static final String API_CSRF_PREVENTION_DEFAULT = "false"; //TODO should be set to true for release + private static final String SRVR_CRT_PASS_FILE_DEFAULT ="pass.txt"; private static final String SRVR_CRT_PASS_LEN_DEFAULT = "50"; private static final String PASSPHRASE_ENV_DEFAULT = "AMBARI_PASSPHRASE"; @@ -494,6 +497,14 @@ public class Configuration { } /** + * Checks if CSRF protection enabled + * @return true if CSRF protection filter should be enabled + */ + public boolean csrfProtectionEnabled() { + return "true".equalsIgnoreCase(properties.getProperty(API_CSRF_PREVENTION_KEY, API_CSRF_PREVENTION_DEFAULT)); + } + + /** * Gets client security type * @return appropriate ClientSecurityType */ http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/2dc3e3e9/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java index 274647d..24e09bc 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java @@ -27,7 +27,6 @@ import java.util.Map; import org.apache.ambari.eventdb.webservice.WorkflowJsonService; import org.apache.ambari.server.AmbariException; import org.apache.ambari.server.actionmanager.ActionManager; -import org.apache.ambari.server.actionmanager.ExecutionCommandWrapper; import org.apache.ambari.server.agent.HeartBeatHandler; import org.apache.ambari.server.agent.rest.AgentResource; import org.apache.ambari.server.api.AmbariPersistFilter; @@ -42,7 +41,6 @@ import org.apache.ambari.server.configuration.Configuration; import org.apache.ambari.server.configuration.ComponentSSLConfiguration; import org.apache.ambari.server.orm.GuiceJpaInitializer; import org.apache.ambari.server.orm.PersistenceType; -import org.apache.ambari.server.orm.dao.HostRoleCommandDAO; import org.apache.ambari.server.orm.dao.MetainfoDAO; import org.apache.ambari.server.resources.ResourceManager; import org.apache.ambari.server.resources.api.rest.GetResource; @@ -253,6 +251,10 @@ public class AmbariServer { "org.apache.ambari.server.api"); sh.setInitParameter("com.sun.jersey.api.json.POJOMappingFeature", "true"); + if (configs.csrfProtectionEnabled()) { + sh.setInitParameter("com.sun.jersey.spi.container.ContainerRequestFilters", + "com.sun.jersey.api.container.filter.CsrfProtectionFilter"); + } root.addServlet(sh, "/api/v1/*"); sh.setInitOrder(2);
