nijel created HADOOP-11677:
------------------------------
Summary: Missing secure session attributed for log and static
contexts
Key: HADOOP-11677
URL: https://issues.apache.org/jira/browse/HADOOP-11677
Project: Hadoop Common
Issue Type: Bug
Reporter: nijel
In HTTPServer2.java for the default context the secure attributes are set.
{code}
SessionManager sm = webAppContext.getSessionHandler().getSessionManager();
if (sm instanceof AbstractSessionManager) {
AbstractSessionManager asm = (AbstractSessionManager)sm;
asm.setHttpOnly(true);
asm.setSecureCookies(true);
}
{code}
But when the contexts are created for /logs and /static, new contexts are
created and the session handler is assigned as null.
Here also the secure attributes needs to be set.
Is it not done intentionally ? please give your thought
Background
trying to add login action for HTTP pages. After this when security test tool
is used, it reports error for these 2 urls (/logs and /static).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
