GEODE-1532: Fix Pulse Clickjacking vuln.

* Removed firefox driver dependency
* This closes #256


Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/a78fa753
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/a78fa753
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/a78fa753

Branch: refs/heads/feature/GEODE-1466
Commit: a78fa7537dfd656521649d57245ecd7fa05b2d31
Parents: 6054e00
Author: Jared Stewart <jstew...@pivotal.io>
Authored: Mon Oct 10 18:48:01 2016 -0700
Committer: Jinmei Liao <jil...@pivotal.io>
Committed: Wed Oct 12 09:52:40 2016 -0700

----------------------------------------------------------------------
 geode-pulse/build.gradle                                 |  1 -
 geode-pulse/src/main/webapp/WEB-INF/spring-security.xml  |  5 +++++
 .../geode/tools/pulse/testbed/driver/PulseUITest.java    | 11 +++++++++--
 3 files changed, 14 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/a78fa753/geode-pulse/build.gradle
----------------------------------------------------------------------
diff --git a/geode-pulse/build.gradle b/geode-pulse/build.gradle
index ef29ab3..3d19dea 100755
--- a/geode-pulse/build.gradle
+++ b/geode-pulse/build.gradle
@@ -73,7 +73,6 @@ dependencies {
       exclude module: 'selenium-java' //by artifact name
   }
 
-  testCompile 'org.seleniumhq.selenium:selenium-firefox-driver:' + 
project.'selenium.version'
   testCompile 'org.seleniumhq.selenium:selenium-api:' + 
project.'selenium.version'
   testCompile 'org.seleniumhq.selenium:selenium-remote-driver:' + 
project.'selenium.version'
   testCompile 'org.seleniumhq.selenium:selenium-support:' + 
project.'selenium.version'

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/a78fa753/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml
----------------------------------------------------------------------
diff --git a/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml 
b/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml
index b4fccf0..2842f64 100644
--- a/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml
+++ b/geode-pulse/src/main/webapp/WEB-INF/spring-security.xml
@@ -47,6 +47,11 @@
                <form-login login-page="/Login.html"
                        
authentication-failure-handler-ref="authenticationFailureHandler"
                        default-target-url="/clusterDetail.html" />
+               <headers>
+                       <frame-options policy="DENY" />
+                       <content-type-options  />
+                       <xss-protection enabled="true" block="true" />
+               </headers>
                
                <logout logout-url="/pulse/clusterLogout" 
success-handler-ref="customLogoutSuccessHandler"/>
                

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/a78fa753/geode-pulse/src/test/java/org/apache/geode/tools/pulse/testbed/driver/PulseUITest.java
----------------------------------------------------------------------
diff --git 
a/geode-pulse/src/test/java/org/apache/geode/tools/pulse/testbed/driver/PulseUITest.java
 
b/geode-pulse/src/test/java/org/apache/geode/tools/pulse/testbed/driver/PulseUITest.java
index ced298b..5a02edc 100644
--- 
a/geode-pulse/src/test/java/org/apache/geode/tools/pulse/testbed/driver/PulseUITest.java
+++ 
b/geode-pulse/src/test/java/org/apache/geode/tools/pulse/testbed/driver/PulseUITest.java
@@ -31,7 +31,8 @@ import org.junit.experimental.categories.Category;
 import org.openqa.selenium.By;
 import org.openqa.selenium.WebDriver;
 import org.openqa.selenium.WebElement;
-import org.openqa.selenium.firefox.FirefoxDriver;
+import org.openqa.selenium.phantomjs.PhantomJSDriver;
+import org.openqa.selenium.remote.DesiredCapabilities;
 import org.openqa.selenium.support.ui.ExpectedCondition;
 import org.openqa.selenium.support.ui.WebDriverWait;
 
@@ -77,7 +78,13 @@ public class PulseUITest {
 
     pulseURL = "http://"; + host + ":" + port + context;
     Thread.sleep(1000); //wait till tomcat settles down
-    driver = new FirefoxDriver();
+
+    DesiredCapabilities capabilities = new DesiredCapabilities();
+    capabilities.setJavascriptEnabled(true);
+    capabilities.setCapability("takesScreenshot", true);
+    capabilities.setCapability("phantomjs.page.settings.userAgent", 
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:16.0) Gecko/20121026 
Firefox/16.0");
+
+    driver = new PhantomJSDriver(capabilities);
     driver.manage().window().maximize();//required to make all elements visible
 
     Thread.sleep(5000); //wait till pulse starts polling threads...

Reply via email to