YARN-7338. Support same origin policy for cross site scripting prevention. (Sunil G via wangda)

2017-10-19 14:44:42 -07:00 · 2017-10-19 14:44:42 -07:00 · 298b174f66
parent 3dd3d1dd77
commit 298b174f66
1 changed files with 22 additions and 0 deletions
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java
@ -401,6 +401,7 @@ public class WebApps {
      WebApp webApp = build(webapp);
      HttpServer2 httpServer = webApp.httpServer();
      if (ui2Context != null) {
+        addFiltersForNewContext(ui2Context);
        httpServer.addHandlerAtFront(ui2Context);
      }
      try {
@ -413,6 +414,27 @@ public class WebApps {
      return webApp;
    }

+    private void addFiltersForNewContext(WebAppContext ui2Context) {
+      Map<String, String> params = getConfigParameters(csrfConfigPrefix);
+
+      if (hasCSRFEnabled(params)) {
+        LOG.info("CSRF Protection has been enabled for the {} application. "
+            + "Please ensure that there is an authentication mechanism "
+            + "enabled (kerberos, custom, etc).", name);
+        String restCsrfClassName = RestCsrfPreventionFilter.class.getName();
+        HttpServer2.defineFilter(ui2Context, restCsrfClassName,
+            restCsrfClassName, params, new String[]{"/*"});
+      }
+
+      params = getConfigParameters(xfsConfigPrefix);
+
+      if (hasXFSEnabled()) {
+        String xfsClassName = XFrameOptionsFilter.class.getName();
+        HttpServer2.defineFilter(ui2Context, xfsClassName, xfsClassName, params,
+            new String[]{"/*"});
+      }
+    }
+
    private String inferHostClass() {
      String thisClass = this.getClass().getName();
      Throwable t = new Throwable();