[
https://issues.apache.org/jira/browse/HADOOP-12691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15097275#comment-15097275
]
Chris Nauroth commented on HADOOP-12691:
----------------------------------------
Hi [~lmccay]. This looks great, and thank you for the design document. I have
just a few minor comments.
# Should we add TRACE to {{METHODS_TO_IGNORE_DEFAULT}}?
# Could you add some documentation to HttpAuthentication.md? I don't think it
needs a lot of documentation, but a mention of what it does and how to
configure it would be great.
# The design document contains this statement:
bq. Failure results in a 403 forbidden or 400 bad_request HTTP status response.
In the code though, I only saw it sending {{SC_BAD_REQUEST}}. Is there
supposed to be another case for sending {{SC_FORBIDDEN}}? (I think it's fine
how it is. I only mention this because I noticed a discrepancy between the doc
and the code.)
# Can you please remove this?
{code}
/* (non-Javadoc)
* @see javax.servlet.Filter#destroy()
*/
{code}
We prefer not to put those in the Hadoop codebase.
# Several tests have the comment "X-XSRF HAS been sent", but they are really
tests that don't send the header: {{testMissingCustomHeaderConfig_badRequest}},
{{testMissingHeaderNoMethodsToIgnoreConfig_badRequest}},
{{testMissingHeaderIgnoreGETMethodConfig_goodRequest}} and
{{testMissingHeaderIgnoreMultiMethodConfig_goodRequest}}.
# Is {{testMissingCustomHeaderConfig_badRequest}} supposed to configure a
custom header?
# The filter class's dependency on {{FilterConfig}} is for 2 method calls to
{{getInitParameter}}. It would be less total code if we mocked those 2 calls
and removed the full definition of the extra {{FilterConfigTest}} class. Do
you think that change makes sense?
> Add CSRF Filter for REST APIs to Hadoop Common
> ----------------------------------------------
>
> Key: HADOOP-12691
> URL: https://issues.apache.org/jira/browse/HADOOP-12691
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 3.0.0
>
> Attachments: CSRFProtectionforRESTAPIs.pdf, HADOOP-12691-001.patch,
> HADOOP-12691-002.patch
>
>
> CSRF prevention for REST APIs can be provided through a common servlet
> filter. This filter would check for the existence of an expected
> (configurable) HTTP header - such as X-XSRF-Header.
> The fact that CSRF attacks are entirely browser based means that the above
> approach can ensure that requests are coming from either: applications served
> by the same origin as the REST API or that there is explicit policy
> configuration that allows the setting of a header on XmlHttpRequest from
> another origin.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
