[jira] [Commented] (DRILL-7648) Scrypt j_security_check works without security headers

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/DRILL-7648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17064679#comment-17064679
 ] 

ASF GitHub Bot commented on DRILL-7648:
---------------------------------------

ihuzenko commented on pull request #2037: DRILL-7648: Scrypt j_security_check 
works without security headers
URL: https://github.com/apache/drill/pull/2037
 
 
   # [DRILL-7648](https://issues.apache.org/jira/browse/DRILL-7648): Scrypt 
j_security_check works without security headers
   
   ## Description
   
   1. Added callback for setting headers in DrillHttpSecurityHandlerProvider,
      since ResponseHeadersSettingFilter doesn't cover this flow.
   
   ## Documentation
   
   No need to document the bugfix.
   
   ## Testing
   
   Tested manually since the security configuration for using form-based 
authentication is hard to do in unit tests.
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Scrypt j_security_check works without security headers 
> -------------------------------------------------------
>
>                 Key: DRILL-7648
>                 URL: https://issues.apache.org/jira/browse/DRILL-7648
>             Project: Apache Drill
>          Issue Type: Bug
>    Affects Versions: 1.17.0
>            Reporter: Dmytro Kondriukov
>            Assignee: Igor Guzenko
>            Priority: Major
>             Fix For: 1.18.0
>
>
> *Preconditions:*
> drill-override.conf
> {noformat}
> drill.exec: {
>   cluster-id: "drillbits1",
>   zk.connect: "localhost:5181"
>   impersonation: {
>         enabled: true,
>         max_chained_user_hops: 3
>         },
>     security: {
>         auth.mechanisms : ["PLAIN"],
>         },
>     security.user.auth: {
>     enabled: true,
>     packages += "org.apache.drill.exec.rpc.user.security",
>     impl: "pam4j",
>     pam_profiles: [ "sudo", "login" ]
>     }
>   http: {
>     ssl_enabled: true,.
>     jetty.server.response.headers: {
>       "X-XSS-Protection": "1; mode=block",
>       "X-Content-Type-Options": "nosniff",
>       "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
>       "Content-Security-Policy": "default-src https:; script-src 
> 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: 
> https:; img-src data: https:"
>     }
>   }
> }
> {noformat}
> *Steps:*
> 1. Perform login to drillbit webUI
> 2. Check in browser console in tab "network" headers of resource 
> https://node1.cluster.com:8047/j_security_check
> 3. Check section "response headers"
> *Expected result:* security headers are present
> *Actual result:* security headers are absent
> 4. Check section "Form Data"
> *Expected result:* parameter "j_password" content is hidden
> *Actual result:* parameter "j_password" content is visible



--
This message was sent by Atlassian Jira
(v8.3.4#803005)