oleewere closed pull request #36: AMBARI-24937. Log Search: add cross site
scripting prevention headers
URL: https://github.com/apache/ambari-logsearch/pull/36
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java
b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java
index b1ca062ac1..a15ed559e4 100644
---
a/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java
+++
b/ambari-logsearch-server/src/main/java/org/apache/ambari/logsearch/conf/SecurityConfig.java
@@ -26,6 +26,8 @@
import javax.inject.Inject;
import javax.inject.Named;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
import org.apache.ambari.logsearch.common.LogSearchLdapAuthorityMapper;
import org.apache.ambari.logsearch.common.StatusMessage;
@@ -64,6 +66,13 @@
import org.springframework.security.crypto.password.PasswordEncoder;
import
org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import
org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.security.web.header.Header;
+import org.springframework.security.web.header.HeaderWriter;
+import org.springframework.security.web.header.writers.HstsHeaderWriter;
+import org.springframework.security.web.header.writers.StaticHeadersWriter;
+import
org.springframework.security.web.header.writers.XContentTypeOptionsHeaderWriter;
+import
org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
+import
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
@@ -80,6 +89,9 @@
@Inject
private LogSearchHttpHeaderConfig logSearchHttpHeaderConfig;
+ @Inject
+ private LogSearchHttpConfig logSearchHttpConfig;
+
@Inject
private SolrServiceLogPropsConfig solrServiceLogPropsConfig;
@@ -117,6 +129,15 @@
@Override
protected void configure(HttpSecurity http) throws Exception {
http
+ .headers()
+ .addHeaderWriter(
+ new
LogSearchCompositeHeaderWriter("https".equals(logSearchHttpConfig.getProtocol()),
+ new XXssProtectionHeaderWriter(),
+ new
XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.DENY),
+ new XContentTypeOptionsHeaderWriter(),
+ new StaticHeadersWriter("Pragma", "no-cache"),
+ new StaticHeadersWriter("Cache-Control", "no-store")))
+ .and()
.csrf().disable()
.authorizeRequests()
.requestMatchers(requestMatcher())
@@ -352,4 +373,27 @@ public RequestMatcher shipperConfigInputRequestMatcher() {
return cookies.toArray(new String[0]);
}
+ class LogSearchCompositeHeaderWriter implements HeaderWriter {
+
+ private final boolean sslEnabled;
+ private final HeaderWriter[] additionalHeaderWriters;
+ private final HstsHeaderWriter hstsHeaderWriter;
+
+ LogSearchCompositeHeaderWriter(boolean sslEnabled, HeaderWriter...
additionalHeaderWriters) {
+ this.sslEnabled = sslEnabled;
+ this.additionalHeaderWriters = additionalHeaderWriters;
+ this.hstsHeaderWriter = new HstsHeaderWriter();
+ }
+
+ @Override
+ public void writeHeaders(HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse) {
+ for (HeaderWriter headerWriter : additionalHeaderWriters) {
+ headerWriter.writeHeaders(httpServletRequest, httpServletResponse);
+ }
+ if (sslEnabled) {
+ hstsHeaderWriter.writeHeaders(httpServletRequest, httpServletResponse);
+ }
+ }
+ }
+
}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
