HBASE-19352 Port HADOOP-10379: Protect authentication cookies with the HttpOnly and Secure flags
Signed-off-by: Sean Busbey <busbey@apache.org>
This commit is contained in:
parent
17eeaef6d9
commit
800a4d9868
|
@ -857,6 +857,8 @@ public class HttpServer implements FilterContainer {
|
||||||
fmap.setFilterName(AdminAuthorizedFilter.class.getSimpleName());
|
fmap.setFilterName(AdminAuthorizedFilter.class.getSimpleName());
|
||||||
webAppContext.getServletHandler().addFilter(filter, fmap);
|
webAppContext.getServletHandler().addFilter(filter, fmap);
|
||||||
}
|
}
|
||||||
|
webAppContext.getSessionHandler().getSessionCookieConfig().setHttpOnly(true);
|
||||||
|
webAppContext.getSessionHandler().getSessionCookieConfig().setSecure(true);
|
||||||
webAppContext.addServlet(holder, pathSpec);
|
webAppContext.addServlet(holder, pathSpec);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,191 @@
|
||||||
|
/**
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License. See accompanying LICENSE file.
|
||||||
|
*/
|
||||||
|
package org.apache.hadoop.hbase.http;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.net.HttpURLConnection;
|
||||||
|
import java.net.HttpCookie;
|
||||||
|
import java.net.URI;
|
||||||
|
import java.net.URL;
|
||||||
|
import javax.net.ssl.HttpsURLConnection;
|
||||||
|
import javax.servlet.Filter;
|
||||||
|
import javax.servlet.FilterConfig;
|
||||||
|
import javax.servlet.FilterChain;
|
||||||
|
import javax.servlet.ServletRequest;
|
||||||
|
import javax.servlet.ServletResponse;
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
import java.security.GeneralSecurityException;
|
||||||
|
import org.apache.hadoop.hbase.HBaseClassTestRule;
|
||||||
|
import org.apache.hadoop.hbase.testclassification.MiscTests;
|
||||||
|
import org.apache.hadoop.hbase.testclassification.SmallTests;
|
||||||
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.fs.FileUtil;
|
||||||
|
import org.apache.hadoop.net.NetUtils;
|
||||||
|
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
|
||||||
|
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
|
||||||
|
import org.apache.hadoop.security.ssl.SSLFactory;
|
||||||
|
|
||||||
|
import org.junit.Assert;
|
||||||
|
import org.junit.AfterClass;
|
||||||
|
import org.junit.BeforeClass;
|
||||||
|
import org.junit.ClassRule;
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.junit.experimental.categories.Category;
|
||||||
|
|
||||||
|
@Category({ MiscTests.class, SmallTests.class})
|
||||||
|
public class TestHttpCookieFlag {
|
||||||
|
@ClassRule
|
||||||
|
public static final HBaseClassTestRule CLASS_RULE =
|
||||||
|
HBaseClassTestRule.forClass(TestHttpCookieFlag.class);
|
||||||
|
|
||||||
|
private static final String BASEDIR = System.getProperty("test.build.dir",
|
||||||
|
"target/test-dir") + "/" +
|
||||||
|
org.apache.hadoop.hbase.http.TestHttpCookieFlag.class.getSimpleName();
|
||||||
|
private static String keystoresDir;
|
||||||
|
private static String sslConfDir;
|
||||||
|
private static SSLFactory clientSslFactory;
|
||||||
|
private static HttpServer server;
|
||||||
|
|
||||||
|
public static class DummyAuthenticationFilter implements Filter {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void init(FilterConfig filterConfig) throws ServletException {
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void doFilter(ServletRequest request, ServletResponse response,
|
||||||
|
FilterChain chain) throws IOException,
|
||||||
|
ServletException {
|
||||||
|
HttpServletResponse resp = (HttpServletResponse) response;
|
||||||
|
boolean isHttps = "https".equals(request.getScheme());
|
||||||
|
AuthenticationFilter.createAuthCookie(resp, "token", null, null, -1,
|
||||||
|
true, isHttps);
|
||||||
|
chain.doFilter(request, resp);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void destroy() {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
public static class DummyFilterInitializer extends FilterInitializer {
|
||||||
|
@Override
|
||||||
|
public void initFilter(FilterContainer container, Configuration conf) {
|
||||||
|
container.addFilter("DummyAuth", DummyAuthenticationFilter.class
|
||||||
|
.getName(), null);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@BeforeClass
|
||||||
|
public static void setUp() throws Exception {
|
||||||
|
Configuration conf = new Configuration();
|
||||||
|
conf.set(HttpServer.FILTER_INITIALIZERS_PROPERTY,
|
||||||
|
DummyFilterInitializer.class.getName());
|
||||||
|
conf.setInt("hbase.http.max.threads", 19); /* acceptors=2 + selectors=16 + request=1 */
|
||||||
|
System.setProperty("hadoop.log.dir", BASEDIR); /* needed for /logs */
|
||||||
|
|
||||||
|
File base = new File(BASEDIR);
|
||||||
|
FileUtil.fullyDelete(base);
|
||||||
|
base.mkdirs();
|
||||||
|
keystoresDir = new File(BASEDIR).getAbsolutePath();
|
||||||
|
sslConfDir = KeyStoreTestUtil.getClasspathDir(TestSSLHttpServer.class);
|
||||||
|
|
||||||
|
KeyStoreTestUtil.setupSSLConfig(keystoresDir, sslConfDir, conf, false);
|
||||||
|
Configuration sslConf = KeyStoreTestUtil.getSslConfig();
|
||||||
|
|
||||||
|
clientSslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, sslConf);
|
||||||
|
clientSslFactory.init();
|
||||||
|
|
||||||
|
server = new HttpServer.Builder()
|
||||||
|
.setName("test")
|
||||||
|
.addEndpoint(new URI("http://localhost"))
|
||||||
|
.addEndpoint(new URI("https://localhost"))
|
||||||
|
.setConf(conf)
|
||||||
|
.keyPassword(sslConf.get("ssl.server.keystore.keypassword"))
|
||||||
|
.keyStore(sslConf.get("ssl.server.keystore.location"),
|
||||||
|
sslConf.get("ssl.server.keystore.password"),
|
||||||
|
sslConf.get("ssl.server.keystore.type", "jks"))
|
||||||
|
.trustStore(sslConf.get("ssl.server.truststore.location"),
|
||||||
|
sslConf.get("ssl.server.truststore.password"),
|
||||||
|
sslConf.get("ssl.server.truststore.type", "jks"))
|
||||||
|
.build();
|
||||||
|
server.addPrivilegedServlet("echo", "/echo", TestHttpServer.EchoServlet.class);
|
||||||
|
server.start();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testHttpCookie() throws IOException {
|
||||||
|
URL base = new URL("http://" + NetUtils.getHostPortString(server
|
||||||
|
.getConnectorAddress(0)));
|
||||||
|
HttpURLConnection conn = (HttpURLConnection) new URL(base,
|
||||||
|
"/echo").openConnection();
|
||||||
|
|
||||||
|
String header = conn.getHeaderField("Set-Cookie");
|
||||||
|
Assert.assertTrue(header != null);
|
||||||
|
List<HttpCookie> cookies = HttpCookie.parse(header);
|
||||||
|
Assert.assertTrue(!cookies.isEmpty());
|
||||||
|
Assert.assertTrue(header.contains("; HttpOnly"));
|
||||||
|
Assert.assertTrue("token".equals(cookies.get(0).getValue()));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testHttpsCookie() throws IOException, GeneralSecurityException {
|
||||||
|
URL base = new URL("https://" + NetUtils.getHostPortString(server
|
||||||
|
.getConnectorAddress(1)));
|
||||||
|
HttpsURLConnection conn = (HttpsURLConnection) new URL(base,
|
||||||
|
"/echo").openConnection();
|
||||||
|
conn.setSSLSocketFactory(clientSslFactory.createSSLSocketFactory());
|
||||||
|
|
||||||
|
String header = conn.getHeaderField("Set-Cookie");
|
||||||
|
Assert.assertTrue(header != null);
|
||||||
|
|
||||||
|
List<HttpCookie> cookies = HttpCookie.parse(header);
|
||||||
|
Assert.assertTrue(!cookies.isEmpty());
|
||||||
|
Assert.assertTrue(header.contains("; HttpOnly"));
|
||||||
|
Assert.assertTrue(cookies.get(0).getSecure());
|
||||||
|
Assert.assertTrue("token".equals(cookies.get(0).getValue()));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testHttpsCookieDefaultServlets() throws Exception {
|
||||||
|
HttpsURLConnection conn = null;
|
||||||
|
|
||||||
|
URL base = new URL("https://" + NetUtils.getHostPortString(server
|
||||||
|
.getConnectorAddress(1)) + "/");
|
||||||
|
|
||||||
|
for (String servlet : new String[] { "static", "stacks", "logLevel", "jmx", "logs" }) {
|
||||||
|
conn = (HttpsURLConnection) new URL(base,
|
||||||
|
"/" + servlet).openConnection();
|
||||||
|
conn.setSSLSocketFactory(clientSslFactory.createSSLSocketFactory());
|
||||||
|
|
||||||
|
String header = conn.getHeaderField("Set-Cookie");
|
||||||
|
Assert.assertTrue(header != null);
|
||||||
|
List<HttpCookie> cookies = HttpCookie.parse(header);
|
||||||
|
Assert.assertTrue(!cookies.isEmpty());
|
||||||
|
Assert.assertTrue(header.contains("; HttpOnly"));
|
||||||
|
Assert.assertTrue(cookies.get(0).getSecure());
|
||||||
|
Assert.assertTrue("token".equals(cookies.get(0).getValue()));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@AfterClass
|
||||||
|
public static void cleanup() throws Exception {
|
||||||
|
server.stop();
|
||||||
|
FileUtil.fullyDelete(new File(BASEDIR));
|
||||||
|
KeyStoreTestUtil.cleanupSSLConfig(keystoresDir, sslConfDir);
|
||||||
|
clientSslFactory.destroy();
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue