This is an automated email from the ASF dual-hosted git repository. rajksingh pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push: new 4cc3ae9 HIVE-23498: Disable HTTP Trace method on ThriftHttpCliService (Rajkumar Singh, reviewed by Naveen Gangam) 4cc3ae9 is described below commit 4cc3ae97d48b359a47c3608c7b307c58233e088d Author: Rajkumar Singh <rajksi...@apache.org> AuthorDate: Mon Jun 1 20:05:12 2020 -0700 HIVE-23498: Disable HTTP Trace method on ThriftHttpCliService (Rajkumar Singh, reviewed by Naveen Gangam) --- .../service/cli/thrift/ThriftHttpCLIService.java | 26 ++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java index 6652668..8524c12 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java @@ -45,6 +45,8 @@ import org.apache.thrift.protocol.TProtocolFactory; import org.apache.thrift.server.TServlet; import org.eclipse.jetty.io.Connection; import org.eclipse.jetty.io.EndPoint; +import org.eclipse.jetty.security.ConstraintMapping; +import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.HttpConfiguration; import org.eclipse.jetty.server.HttpConnectionFactory; @@ -53,6 +55,7 @@ import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.handler.gzip.GzipHandler; import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.servlet.ServletHolder; +import org.eclipse.jetty.util.security.Constraint; import org.eclipse.jetty.util.ssl.SslContextFactory; import org.eclipse.jetty.util.thread.ExecutorThreadPool; @@ -192,6 +195,7 @@ public class ThriftHttpCLIService extends ThriftCLIService { server.setHandler(context); } context.addServlet(new ServletHolder(thriftHttpServlet), httpPath); + constrainHttpMethods(context, false); // TODO: check defaults: maxTimeout, keepalive, maxBodySize, // bodyRecieveDuration, etc. @@ -269,6 +273,28 @@ public class ThriftHttpCLIService extends ThriftCLIService { return httpPath; } + public void constrainHttpMethods(ServletContextHandler ctxHandler, boolean allowOptionsMethod) { + Constraint c = new Constraint(); + c.setAuthenticate(true); + + ConstraintMapping cmt = new ConstraintMapping(); + cmt.setConstraint(c); + cmt.setMethod("TRACE"); + cmt.setPathSpec("/*"); + + ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler(); + if (!allowOptionsMethod) { + ConstraintMapping cmo = new ConstraintMapping(); + cmo.setConstraint(c); + cmo.setMethod("OPTIONS"); + cmo.setPathSpec("/*"); + securityHandler.setConstraintMappings(new ConstraintMapping[] {cmt, cmo}); + } else { + securityHandler.setConstraintMappings(new ConstraintMapping[] {cmt}); + } + ctxHandler.setSecurityHandler(securityHandler); + } + @Override protected void stopServer() { if((server != null) && server.isStarted()) {