[ambari] branch branch-2.7 updated: AMBARI-25159. http.strict-transport-security change does not take affect in 2.7.x. (mpapirkovskyy) (#2861)

Tue, 12 Mar 2019 14:42:25 -0700 

This is an automated email from the ASF dual-hosted git repository.

mpapirkovskyy pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/branch-2.7 by this push:
     new e6b0838  AMBARI-25159. http.strict-transport-security change does not 
take affect in 2.7.x. (mpapirkovskyy) (#2861)
e6b0838 is described below

commit e6b0838ba1853152a2849be8705be1aff669349e
Author: Myroslav Papirkovskyi <mpapirkovs...@apache.org>
AuthorDate: Tue Mar 12 23:42:02 2019 +0200

    AMBARI-25159. http.strict-transport-security change does not take affect in 
2.7.x. (mpapirkovskyy) (#2861)
---
 .../apache/ambari/server/configuration/spring/ApiSecurityConfig.java   | 3 ++-
 .../main/java/org/apache/ambari/server/controller/AmbariServer.java    | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/configuration/spring/ApiSecurityConfig.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/spring/ApiSecurityConfig.java
index c551e5e..06a0ee1 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/configuration/spring/ApiSecurityConfig.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/spring/ApiSecurityConfig.java
@@ -89,7 +89,8 @@ public class ApiSecurityConfig extends 
WebSecurityConfigurerAdapter{
     http.csrf().disable()
         .authorizeRequests().anyRequest().authenticated()
         .and()
-        .headers().frameOptions().disable().and()
+        .headers().httpStrictTransportSecurity().disable()
+        .frameOptions().disable().and()
         .exceptionHandling().authenticationEntryPoint(ambariEntryPoint)
         .and()
         .addFilterBefore(guiceBeansConfig.ambariUserAuthorizationFilter(), 
BasicAuthenticationFilter.class)
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index aa2c771..530ddc3 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -670,6 +670,7 @@ public class AmbariServer {
     ServerConnector apiConnector;
 
     HttpConfiguration http_config = new HttpConfiguration();
+    http_config.addCustomizer(new SecureRequestCustomizer());
     http_config.setRequestHeaderSize(configs.getHttpRequestHeaderSize());
     http_config.setResponseHeaderSize(configs.getHttpResponseHeaderSize());
     http_config.setSendServerVersion(false);

Reply via email to