You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@drill.apache.org by "Dmytro Kondriukov (Jira)" <ji...@apache.org> on 2020/03/17 18:55:00 UTC

[jira] [Created] (DRILL-7648) Scrypt j_security_check works without security headers

Dmytro Kondriukov created DRILL-7648:
----------------------------------------

             Summary: Scrypt j_security_check works without security headers 
                 Key: DRILL-7648
                 URL: https://issues.apache.org/jira/browse/DRILL-7648
             Project: Apache Drill
          Issue Type: Bug
            Reporter: Dmytro Kondriukov


*Preconditions:*
drill-override.conf


{noformat}
drill.exec: {
  cluster-id: "drillbits1",
  zk.connect: "localhost:5181"
  impersonation: {
        enabled: true,
        max_chained_user_hops: 3
        },
    security: {
        auth.mechanisms : ["PLAIN"],
        },
    security.user.auth: {
    enabled: true,
    packages += "org.apache.drill.exec.rpc.user.security",
    impl: "pam4j",
    pam_profiles: [ "sudo", "login" ]
    }
  http: {
    ssl_enabled: true,.
    jetty.server.response.headers: {
      "X-XSS-Protection": "1; mode=block",
      "X-Content-Type-Options": "nosniff",
      "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
      "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
    }
  }
}
{noformat}


*Steps:*
1. Perform login to drillbit webUI
2. Check in browser console in tab "network" headers of resource https://node1.cluster.com:8047/j_security_check
3. Check section "response headers"
*Expected result:* security headers are present
*Actual result:* security headers are absent

4. Check section "Form Data"
*Expected result:* parameter "j_password" content is hidden
*Actual result:* parameter "j_password" content is visible



--
This message was sent by Atlassian Jira
(v8.3.4#803005)