Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

YARN-7338. Support same origin policy for cross site scripting prevention. (Sunil G via wangda)

This commit is contained in:
Wangda Tan 2017-10-19 14:44:42 -07:00
parent 3dd3d1dd77
commit 298b174f66
1 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java
View File

@ -401,6 +401,7 @@ public class WebApps {
WebApp webApp = build(webapp); WebApp webApp = build(webapp);
HttpServer2 httpServer = webApp.httpServer(); HttpServer2 httpServer = webApp.httpServer();
if (ui2Context != null) { if (ui2Context != null) {
addFiltersForNewContext(ui2Context);
httpServer.addHandlerAtFront(ui2Context); httpServer.addHandlerAtFront(ui2Context);
} }
try { try {
@ -413,6 +414,27 @@ public class WebApps {
return webApp; return webApp;
} }
private void addFiltersForNewContext(WebAppContext ui2Context) {
Map<String, String> params = getConfigParameters(csrfConfigPrefix);
if (hasCSRFEnabled(params)) {
LOG.info("CSRF Protection has been enabled for the {} application. "
+ "Please ensure that there is an authentication mechanism "
+ "enabled (kerberos, custom, etc).", name);
String restCsrfClassName = RestCsrfPreventionFilter.class.getName();
HttpServer2.defineFilter(ui2Context, restCsrfClassName,
restCsrfClassName, params, new String[]{"/*"});
}
params = getConfigParameters(xfsConfigPrefix);
if (hasXFSEnabled()) {
String xfsClassName = XFrameOptionsFilter.class.getName();
HttpServer2.defineFilter(ui2Context, xfsClassName, xfsClassName, params,
new String[]{"/*"});
}
}
private String inferHostClass() { private String inferHostClass() {
String thisClass = this.getClass().getName(); String thisClass = this.getClass().getName();
Throwable t = new Throwable(); Throwable t = new Throwable();