-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47819/
-----------------------------------------------------------
(Updated May 27, 2016, 4:43 a.m.)
Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni,
Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and
Velmurugan Periasamy.
Changes
-------
Added Apache jira : RANGER-995
Summary (updated)
-----------------
RANGER-995 : Add CSRF Filter for REST APIs to Ranger
Bugs: RANGER-995
https://issues.apache.org/jira/browse/RANGER-995
Repository: ranger
Description
-------
CSRF prevention for REST APIs can be provided through a common servlet filter.
This filter would check for the existence of an expected (configurable) HTTP
header - such as X-XSRF-Header.
The fact that CSRF attacks are entirely browser based means that the above
approach can ensure that requests are coming from either: applications served
by the same origin as the REST API or that there is explicit policy
configuration that allows the setting of a header on XmlHttpRequest from
another origin.
Diffs (updated)
-----
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 19a1509
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java
PRE-CREATION
security-admin/src/main/resources/conf.dist/ranger-admin-site.xml c1a91ae
security-admin/src/main/resources/conf.dist/security-applicationContext.xml
66ef8af
security-admin/src/main/webapp/scripts/Main.js 460c91a
security-admin/src/main/webapp/scripts/modules/RestCsrf.js PRE-CREATION
security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerCSRFPreventionFilter.java
PRE-CREATION
Diff: https://reviews.apache.org/r/47819/diff/
Testing
-------
1. Tested against Unit Test for CSRF
2. Tested Ranger Admin (with Get/PUT/POST/DELETE/OPTION methods)
2. Tested User sync
3. Tested for Ranger HDFS Plugin.
Thanks,
Ankita Sinha
