[ZEPPELIN-2461] Masking Jetty Server version with User-configurable parameter
### What is this PR for? Security conscious organisations does not want to reveal the Application Server name and version to prevent Script-kiddies from finding the information easily when fingerprinting the Application. The exact version number can tell an Attacker if the current Application Server is patched for or vulnerable to certain publicly known CVE associated to it. ### What type of PR is it? [Improvement | Feature] ### What is the Jira issue? * [ZEPPELIN-2461](https://issues.apache.org/jira/browse/ZEPPELIN-2461) ### How should this be tested? Providing a value in zeppelin-site.xml will replace the actual Jetty server version found in HTTP Header with provided value. E.g. - edit zeppelin-site.xml and add a property `zeppelin.server.jetty.name` and with value say `TOMCAT` - restart the server - open the app in browser then observe the Response Headers for the key "Server" this should now reflect "TOMCAT" ### Screenshots (if appropriate) ### Questions: * Does the licenses files need update? N/A * Is there breaking changes for older versions? N/A * Does this needs documentation? N/A Author: krishna-pandey <[email protected]> Closes #2293 from krishna-pandey/ZEPPELIN-2461 and squashes the following commits: b071f7ad0 [krishna-pandey] Set App Server name to config value Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/5ead465e Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/5ead465e Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/5ead465e Branch: refs/heads/branch-0.7 Commit: 5ead465e5e7d5226128c5e46517463aeabc17370 Parents: 556a211 Author: krishna-pandey <[email protected]> Authored: Thu Apr 27 16:14:33 2017 +0530 Committer: Prabhjyot Singh <[email protected]> Committed: Tue Aug 15 11:07:59 2017 -0700 ---------------------------------------------------------------------- conf/zeppelin-site.xml.template | 8 ++++++++ .../main/java/org/apache/zeppelin/server/ZeppelinServer.java | 3 +++ .../java/org/apache/zeppelin/conf/ZeppelinConfiguration.java | 7 ++++++- 3 files changed, 17 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zeppelin/blob/5ead465e/conf/zeppelin-site.xml.template ---------------------------------------------------------------------- diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template index 620f2be..85341c3 100755 --- a/conf/zeppelin-site.xml.template +++ b/conf/zeppelin-site.xml.template @@ -328,4 +328,12 @@ <description>Enable directory listings on server.</description> </property> +<!-- +<property> + <name>zeppelin.server.jetty.name</name> + <value>Jetty(7.6.0.v20120127)</value> + <description>Hardcoding Application Server name to Prevent Fingerprinting</description> +</property> +--> + </configuration> http://git-wip-us.apache.org/repos/asf/zeppelin/blob/5ead465e/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java ---------------------------------------------------------------------- diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java index abce92f..fdd2530 100644 --- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java +++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java @@ -187,6 +187,9 @@ public class ZeppelinServer extends Application { LOG.info("Starting zeppelin server"); try { jettyWebServer.start(); //Instantiates ZeppelinServer + if (conf.getJettyName() != null) { + org.eclipse.jetty.http.HttpGenerator.setJettyVersion(conf.getJettyName()); + } } catch (Exception e) { LOG.error("Error while running jettyServer", e); System.exit(-1); http://git-wip-us.apache.org/repos/asf/zeppelin/blob/5ead465e/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java ---------------------------------------------------------------------- diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java index cf2832f..97ad60d 100644 --- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java +++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java @@ -475,6 +475,10 @@ public class ZeppelinConfiguration extends XMLConfiguration { return getString(ConfVars.ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE); } + public String getJettyName() { + return getString(ConfVars.ZEPPELIN_SERVER_JETTY_NAME); + } + public Map<String, String> dumpConfigurations(ZeppelinConfiguration conf, ConfigurationKeyPredicate predicate) { Map<String, String> configurations = new HashMap<>(); @@ -617,7 +621,8 @@ public class ZeppelinConfiguration extends XMLConfiguration { ZEPPELIN_ANONYMOUS_ALLOWED("zeppelin.anonymous.allowed", true), ZEPPELIN_CREDENTIALS_PERSIST("zeppelin.credentials.persist", true), ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "1024000"), - ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false); + ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false), + ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null); private String varName; @SuppressWarnings("rawtypes")
