Repository: hive Updated Branches: refs/heads/master 26753ade2 -> 2902c7cc2
HIVE-17679: http-generic-click-jacking for WebHcat server (Aihua Xu reviewed by Yongzhi Chen) Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/2902c7cc Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/2902c7cc Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/2902c7cc Branch: refs/heads/master Commit: 2902c7cc2ab20525139cafa8c594a09fb6c499f9 Parents: 26753ad Author: Aihua Xu <aihu...@apache.org> Authored: Tue Oct 3 09:44:07 2017 -0700 Committer: Aihua Xu <aihu...@apache.org> Committed: Thu Oct 5 14:59:14 2017 -0700 ---------------------------------------------------------------------- .../svr/src/main/config/webhcat-default.xml | 8 ++++ .../hive/hcatalog/templeton/AppConfig.java | 1 + .../apache/hive/hcatalog/templeton/Main.java | 43 ++++++++++++++++++++ 3 files changed, 52 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/2902c7cc/hcatalog/webhcat/svr/src/main/config/webhcat-default.xml ---------------------------------------------------------------------- diff --git a/hcatalog/webhcat/svr/src/main/config/webhcat-default.xml b/hcatalog/webhcat/svr/src/main/config/webhcat-default.xml index fa8dbf8..2de8525 100644 --- a/hcatalog/webhcat/svr/src/main/config/webhcat-default.xml +++ b/hcatalog/webhcat/svr/src/main/config/webhcat-default.xml @@ -371,4 +371,12 @@ in all PUT/POST requests, and rejects requests that do not have these. </description> </property> + <property> + <name>templeton.frame.options.filter</name> + <value>DENY</value> + <description> + X-Frame-Options is added in HTTP response header with this value to prevent + clickjacking attacks. Possible values are DENY, SAMEORIGIN, ALLOW-FROM uri. + </description> + </property> </configuration> http://git-wip-us.apache.org/repos/asf/hive/blob/2902c7cc/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/AppConfig.java ---------------------------------------------------------------------- diff --git a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/AppConfig.java b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/AppConfig.java index 0ea7d88..4232d4d 100644 --- a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/AppConfig.java +++ b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/AppConfig.java @@ -204,6 +204,7 @@ public class AppConfig extends Configuration { public static final String HIVE_EXTRA_FILES = "templeton.hive.extra.files"; public static final String XSRF_FILTER_ENABLED = "templeton.xsrf.filter.enabled"; + public static final String FRAME_OPTIONS_FILETER = "templeton.frame.options.filter"; private static final Logger LOG = LoggerFactory.getLogger(AppConfig.class); http://git-wip-us.apache.org/repos/asf/hive/blob/2902c7cc/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java ---------------------------------------------------------------------- diff --git a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java index 3ed3ece..02b9db9 100644 --- a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java +++ b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java @@ -53,7 +53,15 @@ import org.eclipse.jetty.xml.XmlConfiguration; import org.slf4j.bridge.SLF4JBridgeHandler; import javax.servlet.DispatcherType; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; /** * The main executable that starts up and runs the Server. @@ -213,6 +221,8 @@ public class Main { LOG.warn("XSRF filter disabled"); } + root.addFilter(makeFrameOptionFilter(), "/" + SERVLET_PATH + "/*", dispatches); + // Connect Jersey ServletHolder h = new ServletHolder(new ServletContainer(makeJerseyConfig())); root.addServlet(h, "/" + SERVLET_PATH + "/*"); @@ -259,6 +269,39 @@ public class Main { return authFilter; } + public FilterHolder makeFrameOptionFilter() { + FilterHolder frameOptionFilter = new FilterHolder(XFrameOptionsFilter.class); + frameOptionFilter.setInitParameter(AppConfig.FRAME_OPTIONS_FILETER, conf.get(AppConfig.FRAME_OPTIONS_FILETER)); + return frameOptionFilter; + } + + public static class XFrameOptionsFilter implements Filter { + private final static String defaultMode = "DENY"; + + private String mode = null; + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + mode = filterConfig.getInitParameter(AppConfig.FRAME_OPTIONS_FILETER); + if (mode == null) { + mode = defaultMode; + } + } + + @Override + public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) + throws IOException, ServletException { + final HttpServletResponse res = (HttpServletResponse) response; + res.setHeader("X-FRAME-OPTIONS", mode); + chain.doFilter(request, response); + } + + @Override + public void destroy() { + // do nothing + } + } + public PackagesResourceConfig makeJerseyConfig() { PackagesResourceConfig rc = new PackagesResourceConfig("org.apache.hive.hcatalog.templeton");