[doris] 27/47: [fix](httpserver) creating this cookie without the "secure" flag and enabling cross-origin resource safe (#25107)

kxiao Wed, 11 Oct 2023 09:55:25 -0700

This is an automated email from the ASF dual-hosted git repository.

kxiao pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/doris.git


commit 6c543d7b74e335fc6743858694da7ef5c3d04cc2
Author: Petrichor <[email protected]>
AuthorDate: Tue Oct 10 06:25:09 2023 -0500

    [fix](httpserver) creating this cookie without the "secure" flag and 
enabling cross-origin resource safe (#25107)
---
 fe/fe-common/src/main/java/org/apache/doris/common/Config.java     | 7 +++++++
 .../main/java/org/apache/doris/httpv2/config/WebConfigurer.java    | 2 +-
 .../java/org/apache/doris/httpv2/controller/BaseController.java    | 1 +
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java 
b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
index d2a44d631e4..dae88cf40f4 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
@@ -2185,4 +2185,11 @@ public class Config extends ConfigBase {
             + "If this database conflicts with a user's own database, please 
modify this field to replace "
             + "the name of the Doris built-in MySQL database with a different 
name."})
     public static String mysqldb_replace_name = "mysql";
+    @ConfField(description = {
+        "设置允许跨域访问的特定域名,默认允许任何域名跨域访问",
+        "Set the specific domain name that allows cross-domain access. "
+            + "By default, any domain name is allowed cross-domain access"
+    })
+    public static String access_control_allowed_origin_domain = "*";
+
 }
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/httpv2/config/WebConfigurer.java 
b/fe/fe-core/src/main/java/org/apache/doris/httpv2/config/WebConfigurer.java
index ca79c3a6f5b..aef48def57a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/httpv2/config/WebConfigurer.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/httpv2/config/WebConfigurer.java
@@ -48,7 +48,7 @@ public class WebConfigurer implements WebMvcConfigurer {
         registry.addMapping("/**")
                 .allowCredentials(false)
                 .allowedMethods("*")
-                .allowedOrigins("*")
+                .allowedOrigins(Config.access_control_allowed_origin_domain)
                 .allowedHeaders("*")
                 .maxAge(3600);
     }
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/httpv2/controller/BaseController.java
 
b/fe/fe-core/src/main/java/org/apache/doris/httpv2/controller/BaseController.java
index 091ca673edb..4bd2eebf9af 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/httpv2/controller/BaseController.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/httpv2/controller/BaseController.java
@@ -103,6 +103,7 @@ public class BaseController {
     protected void addSession(HttpServletRequest request, HttpServletResponse 
response, SessionValue value) {
         String key = UUID.randomUUID().toString();
         Cookie cookie = new Cookie(PALO_SESSION_ID, key);
+        cookie.setSecure(true);
         cookie.setMaxAge(PALO_SESSION_EXPIRED_TIME);
         cookie.setPath("/");
         cookie.setHttpOnly(true);


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[doris] 27/47: [fix](httpserver) creating this cookie without the "secure" flag and enabling cross-origin resource safe (#25107)

Reply via email to