[jira] [Commented] (HBASE-19352) Port HADOOP-10379: Protect authentication cookies with the HttpOnly and Secure flags

Fri, 01 Dec 2017 13:07:18 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-19352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16274975#comment-16274975
 ] 

Mike Drob commented on HBASE-19352:
-----------------------------------

Manually retriggered QA for you.

{code}
+      SessionManager sm = handler.getSessionManager();
+      if (sm instanceof AbstractSessionManager) {
+        AbstractSessionManager asm = (AbstractSessionManager) sm;
+        asm.setHttpOnly(true);
+        asm.getSessionCookieConfig().setSecure(true);
+      }
{code}
Make a helper method that takes a handler and modifies the session manager on 
it?

What does it mean if it's not an instance of AbstractSessionManager?

In the test:

{code}
+import javax.servlet.*;
{code}
nit: wildcard imports

{code}
+  private static final String BASEDIR = System.getProperty("test.build.dir",
+      "target/test-dir") + "/" + 
org.apache.hadoop.hbase.http.TestHttpCookieFlag.class.getSimpleName();

+    File base = new File(BASEDIR);
+    FileUtil.fullyDelete(base);
+    base.mkdirs();
{code}
Could use junit TemporaryFolder rule.

{code}
+    sslConfDir = KeyStoreTestUtil.getClasspathDir(TestSSLHttpServer.class);
{code}
should this be TestHttpCookieFlag.class?

{code}
+            //.excludeCiphers(
+            //        sslConf.get("ssl.server.exclude.cipher.list"))
{code}
Is this a hack for os-specific testing?

{code}
+    Assert.assertTrue(header != null);
+    Assert.assertTrue(!cookies.isEmpty());
+    Assert.assertTrue(header.contains("; HttpOnly"));
+    Assert.assertTrue("token".equals(cookies.get(0).getValue()));
{code}
nit: please use assertNull, assertFalse, and assertEquals as appropriate 
(including error messages for the ones that aren't assertEquals)



> Port HADOOP-10379: Protect authentication cookies with the HttpOnly and 
> Secure flags
> ------------------------------------------------------------------------------------
>
>                 Key: HBASE-19352
>                 URL: https://issues.apache.org/jira/browse/HBASE-19352
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Esteban Gutierrez
>            Assignee: Esteban Gutierrez
>         Attachments: HBASE-19352.master.v0.patch
>
>
> This came via a security scanner, since we have a fork of HttpServer2 in 
> HBase we should include it too.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to