You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@drill.apache.org by "Dmytro Kondriukov (Jira)" <ji...@apache.org> on 2020/03/17 18:55:00 UTC
[jira] [Created] (DRILL-7648) Scrypt j_security_check works without
security headers
Dmytro Kondriukov created DRILL-7648:
----------------------------------------
Summary: Scrypt j_security_check works without security headers
Key: DRILL-7648
URL: https://issues.apache.org/jira/browse/DRILL-7648
Project: Apache Drill
Issue Type: Bug
Reporter: Dmytro Kondriukov
*Preconditions:*
drill-override.conf
{noformat}
drill.exec: {
cluster-id: "drillbits1",
zk.connect: "localhost:5181"
impersonation: {
enabled: true,
max_chained_user_hops: 3
},
security: {
auth.mechanisms : ["PLAIN"],
},
security.user.auth: {
enabled: true,
packages += "org.apache.drill.exec.rpc.user.security",
impl: "pam4j",
pam_profiles: [ "sudo", "login" ]
}
http: {
ssl_enabled: true,.
jetty.server.response.headers: {
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Strict-Transport-Security": "max-age=31536000;includeSubDomains",
"Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
}
}
}
{noformat}
*Steps:*
1. Perform login to drillbit webUI
2. Check in browser console in tab "network" headers of resource https://node1.cluster.com:8047/j_security_check
3. Check section "response headers"
*Expected result:* security headers are present
*Actual result:* security headers are absent
4. Check section "Form Data"
*Expected result:* parameter "j_password" content is hidden
*Actual result:* parameter "j_password" content is visible
--
This message was sent by Atlassian Jira
(v8.3.4#803005)