[
https://issues.apache.org/jira/browse/OOZIE-1414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13683530#comment-13683530
]
Alejandro Abdelnur commented on OOZIE-1414:
-------------------------------------------
+1, LGTM
> Configuring Oozie for HTTPS still allows HTTP connections to all resources
> --------------------------------------------------------------------------
>
> Key: OOZIE-1414
> URL: https://issues.apache.org/jira/browse/OOZIE-1414
> Project: Oozie
> Issue Type: Bug
> Components: security
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Blocker
> Fix For: trunk, 4.0.0
>
> Attachments: OOZIE-1414.patch
>
>
> When you run {{oozie-setup.sh prepare-war -secure}} it is supposed to replace
> server.xml with ssl-server.xml (in the oozie-server/conf/ dir) and web.xml
> with ssl-web.xml (in the WAR file).
> OOZIE-670 changed oozie-setup.sh to prepare the war file without calling
> addtowar.sh. However, the code added by OOZIE-1233 and OOZIE-1268 still
> delegates replacing web.xml with ssl-web.xml to addtowar.sh, which
> oozie-setup.sh no longer calls.
> Therefore, when you try to configure Oozie for HTTPS, it will use the
> original web.xml file; which means that {color:red}all resources are
> accessible from both HTTPS and *HTTP*.{color}
> This isn't an issue in Oozie 3.3.2 because it didn't include OOZIE-670, so
> addtowar.sh was still called.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
