YARN-7338. Support same origin policy for cross site scripting prevention. (Sunil G via wangda)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/298b174f Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/298b174f Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/298b174f Branch: refs/heads/HDFS-9806 Commit: 298b174f663a06e67098f7b5cd645769c1a98a80 Parents: 3dd3d1d Author: Wangda Tan <[email protected]> Authored: Thu Oct 19 14:44:42 2017 -0700 Committer: Wangda Tan <[email protected]> Committed: Thu Oct 19 14:44:42 2017 -0700 ---------------------------------------------------------------------- .../org/apache/hadoop/yarn/webapp/WebApps.java | 22 ++++++++++++++++++++ 1 file changed, 22 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/298b174f/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java index 9c5e8c3..4f1cacf 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java @@ -401,6 +401,7 @@ public class WebApps { WebApp webApp = build(webapp); HttpServer2 httpServer = webApp.httpServer(); if (ui2Context != null) { + addFiltersForNewContext(ui2Context); httpServer.addHandlerAtFront(ui2Context); } try { @@ -413,6 +414,27 @@ public class WebApps { return webApp; } + private void addFiltersForNewContext(WebAppContext ui2Context) { + Map<String, String> params = getConfigParameters(csrfConfigPrefix); + + if (hasCSRFEnabled(params)) { + LOG.info("CSRF Protection has been enabled for the {} application. " + + "Please ensure that there is an authentication mechanism " + + "enabled (kerberos, custom, etc).", name); + String restCsrfClassName = RestCsrfPreventionFilter.class.getName(); + HttpServer2.defineFilter(ui2Context, restCsrfClassName, + restCsrfClassName, params, new String[]{"/*"}); + } + + params = getConfigParameters(xfsConfigPrefix); + + if (hasXFSEnabled()) { + String xfsClassName = XFrameOptionsFilter.class.getName(); + HttpServer2.defineFilter(ui2Context, xfsClassName, xfsClassName, params, + new String[]{"/*"}); + } + } + private String inferHostClass() { String thisClass = this.getClass().getName(); Throwable t = new Throwable(); --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
