Repository: sentry Updated Branches: refs/heads/master 03a872923 -> 6f398378c
SENTRY-2068: Disable HTTP TRACE method from the Sentry Web Server (Sergio Pena, reviewed by Alexander Kolbasov, Na Li) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/6f398378 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/6f398378 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/6f398378 Branch: refs/heads/master Commit: 6f398378c549e0aa0f681a538d575510694d39ad Parents: 03a8729 Author: Sergio Pena <[email protected]> Authored: Wed Nov 22 15:18:26 2017 -0600 Committer: Sergio Pena <[email protected]> Committed: Wed Nov 22 15:18:26 2017 -0600 ---------------------------------------------------------------------- .../db/service/thrift/SentryWebServer.java | 31 +++++++++++++++++++- .../thrift/TestSentryWebServerWithKerberos.java | 8 +++++ .../thrift/TestSentryWebServerWithSSL.java | 12 ++++++++ .../TestSentryWebServerWithoutSecurity.java | 8 +++++ 4 files changed, 58 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/6f398378/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java index 95b87ad..0e1f97e 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java @@ -39,6 +39,8 @@ import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.eclipse.jetty.security.ConstraintMapping; +import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.HttpConfiguration; @@ -54,6 +56,7 @@ import org.eclipse.jetty.servlet.FilterHolder; import org.eclipse.jetty.servlet.ServletContextHandler; import org.eclipse.jetty.servlet.ServletHolder; import org.eclipse.jetty.util.resource.Resource; +import org.eclipse.jetty.util.security.Constraint; import org.eclipse.jetty.util.ssl.SslContextFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -154,7 +157,33 @@ public class SentryWebServer { filterHolder.setInitParameters(loadWebAuthenticationConf(conf)); } - server.setHandler(contextHandlerCollection); + server.setHandler(disableTraceMethod(contextHandlerCollection)); + } + + /** + * Disables the HTTP TRACE method request which leads to Cross-Site Tracking (XST) problems. + * + * To disable it, we need to wrap the Handler (which has the HTTP TRACE enabled) with + * a constraint that denies access to the HTTP TRACE method. + * + * @param handler The Handler which has the HTTP TRACE enabled. + * @return A new Handler wrapped with the HTTP TRACE constraint and the Handler passed as parameter. + */ + private Handler disableTraceMethod(Handler handler) { + Constraint disableTraceConstraint = new Constraint(); + disableTraceConstraint.setName("Disable TRACE"); + disableTraceConstraint.setAuthenticate(true); + + ConstraintMapping mapping = new ConstraintMapping(); + mapping.setConstraint(disableTraceConstraint); + mapping.setMethod("TRACE"); + mapping.setPathSpec("/"); + + ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler(); + constraintSecurityHandler.addConstraintMapping(mapping); + constraintSecurityHandler.setHandler(handler); + + return constraintSecurityHandler; } public void start() throws Exception{ http://git-wip-us.apache.org/repos/asf/sentry/blob/6f398378/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java index 09ee6b4..8062cb0 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java @@ -164,4 +164,12 @@ public class TestSentryWebServerWithKerberos extends SentryServiceIntegrationBas } }); } + + @Test + public void testTraceIsDisabled() throws Exception { + final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + conn.setRequestMethod("TRACE"); + Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode()); + } } http://git-wip-us.apache.org/repos/asf/sentry/blob/6f398378/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java index d1d0b4b..f921793 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java @@ -18,6 +18,7 @@ package org.apache.sentry.provider.db.service.thrift; import com.google.common.io.Resources; +import java.net.HttpURLConnection; import org.apache.commons.io.IOUtils; import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; import org.junit.*; @@ -49,4 +50,15 @@ public class TestSentryWebServerWithSSL extends SentryServiceIntegrationBase { String response = IOUtils.toString(conn.getInputStream()); Assert.assertEquals("pong\n", response); } + + @Test + public void testTraceIsDisabled() throws Exception { + final URL url = new URL("https://"+ SERVER_HOST + ":" + webServerPort); + Properties systemProps = System.getProperties(); + systemProps.put( "javax.net.ssl.trustStore", Resources.getResource("cacerts.jks").getPath()); + System.setProperties(systemProps); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + conn.setRequestMethod("TRACE"); + Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode()); + } } http://git-wip-us.apache.org/repos/asf/sentry/blob/6f398378/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java index 4a913e5..6dd1804 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java @@ -84,4 +84,12 @@ public class TestSentryWebServerWithoutSecurity extends SentryServiceIntegration String defaultResponse = IOUtils.toString(conn.getInputStream()); Assert.assertEquals(xmlResponse, defaultResponse); } + + @Test + public void testTraceIsDisabled() throws Exception { + final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort); + HttpURLConnection conn = (HttpURLConnection) url.openConnection(); + conn.setRequestMethod("TRACE"); + Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode()); + } }
