[
https://issues.apache.org/jira/browse/HADOOP-4284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12634958#action_12634958
]
Kan Zhang commented on HADOOP-4284:
-----------------------------------
Also note that, this patch changes the way default directories "/logs" and
"/static" are added to the Jetty Server. They are now added through the
addWebApplication interface instead of the addContext interface. The reason is
that we want to get back a WebApplicationHandler object so that we can add
filters to it. As a side effect, the observation from HADOOP-4282 that you have
to test accessing an existent file to catch the bug is no longer valid. With
this patch, whether accessing an existent file or non-existent file in the
/logs or /static directory doesn't make a difference. Both accesses will fail
the test (TestServletFilter.java) and catch the bug (HADOOP-4282). Therefore,
in the junit test for this patch (TestGlobalFilter.java) we only tried to
access non-existent files. For example, we tested accessing non-existent file
"/logs/a.log" in TestGlobalFilter and it passes the test. I also tried to do
the same in TestServletFilter, it failed the test and hence caught the b
ug.
> Support for user configurable global filters on HttpServer
> ----------------------------------------------------------
>
> Key: HADOOP-4284
> URL: https://issues.apache.org/jira/browse/HADOOP-4284
> Project: Hadoop Core
> Issue Type: New Feature
> Components: dfs
> Reporter: Kan Zhang
> Attachments: 4284_20080925_78.patch, 4284_20080926_79.patch
>
>
> HADOOP-3854 introduced a framework for adding filters to filter browser
> facing urls. Sometimes, there is a need to filter all urls. For example, at
> Yahoo, we need to open an SSL port on the HttpServer and only accept hsftp
> requests from clients who can authenticate themselves using client
> certificate and is authorized according to certain policy file. For this to
> happen, we need a method to add a user configurable "global" filter, which
> filters on all client requests. For our purposes, such a global filter will
> block all https requests except those accessing the hsftp interface (it will
> let all http requests go through, so accesses through the normal http ports
> are unaffected). Moreover, those hsftp requests will be subject to further
> authorization checking according to the policy file.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
