[
https://issues.apache.org/jira/browse/DRILL-7648?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dmytro Kondriukov closed DRILL-7648.
------------------------------------
verified. fixed
> Scrypt j_security_check works without security headers
> -------------------------------------------------------
>
> Key: DRILL-7648
> URL: https://issues.apache.org/jira/browse/DRILL-7648
> Project: Apache Drill
> Issue Type: Bug
> Affects Versions: 1.17.0
> Reporter: Dmytro Kondriukov
> Assignee: Igor Guzenko
> Priority: Major
> Labels: ready-to-commit
> Fix For: 1.18.0
>
>
> *Preconditions:*
> drill-override.conf
> {noformat}
> drill.exec: {
> cluster-id: "drillbits1",
> zk.connect: "localhost:5181"
> impersonation: {
> enabled: true,
> max_chained_user_hops: 3
> },
> security: {
> auth.mechanisms : ["PLAIN"],
> },
> security.user.auth: {
> enabled: true,
> packages += "org.apache.drill.exec.rpc.user.security",
> impl: "pam4j",
> pam_profiles: [ "sudo", "login" ]
> }
> http: {
> ssl_enabled: true,.
> jetty.server.response.headers: {
> "X-XSS-Protection": "1; mode=block",
> "X-Content-Type-Options": "nosniff",
> "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
> "Content-Security-Policy": "default-src https:; script-src
> 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data:
> https:; img-src data: https:"
> }
> }
> }
> {noformat}
> *Steps:*
> 1. Perform login to drillbit webUI
> 2. Check in browser console in tab "network" headers of resource
> https://node1.cluster.com:8047/j_security_check
> 3. Check section "response headers"
> *Expected result:* security headers are present
> *Actual result:* security headers are absent
> 4. Check section "Form Data"
> *Expected result:* parameter "j_password" content is hidden
> *Actual result:* parameter "j_password" content is visible
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
