[ https://issues.apache.org/jira/browse/DRILL-7648?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dmytro Kondriukov closed DRILL-7648. ------------------------------------ verified. fixed > Scrypt j_security_check works without security headers > ------------------------------------------------------- > > Key: DRILL-7648 > URL: https://issues.apache.org/jira/browse/DRILL-7648 > Project: Apache Drill > Issue Type: Bug > Affects Versions: 1.17.0 > Reporter: Dmytro Kondriukov > Assignee: Igor Guzenko > Priority: Major > Labels: ready-to-commit > Fix For: 1.18.0 > > > *Preconditions:* > drill-override.conf > {noformat} > drill.exec: { > cluster-id: "drillbits1", > zk.connect: "localhost:5181" > impersonation: { > enabled: true, > max_chained_user_hops: 3 > }, > security: { > auth.mechanisms : ["PLAIN"], > }, > security.user.auth: { > enabled: true, > packages += "org.apache.drill.exec.rpc.user.security", > impl: "pam4j", > pam_profiles: [ "sudo", "login" ] > } > http: { > ssl_enabled: true,. > jetty.server.response.headers: { > "X-XSS-Protection": "1; mode=block", > "X-Content-Type-Options": "nosniff", > "Strict-Transport-Security": "max-age=31536000;includeSubDomains", > "Content-Security-Policy": "default-src https:; script-src > 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: > https:; img-src data: https:" > } > } > } > {noformat} > *Steps:* > 1. Perform login to drillbit webUI > 2. Check in browser console in tab "network" headers of resource > https://node1.cluster.com:8047/j_security_check > 3. Check section "response headers" > *Expected result:* security headers are present > *Actual result:* security headers are absent > 4. Check section "Form Data" > *Expected result:* parameter "j_password" content is hidden > *Actual result:* parameter "j_password" content is visible -- This message was sent by Atlassian Jira (v8.3.4#803005)