You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by mo...@apache.org on 2017/09/29 04:38:40 UTC
zeppelin git commit: [MINOR] Updated shiro.ini.template to include
secure cookie option
Repository: zeppelin
Updated Branches:
refs/heads/master 009184985 -> 2437c8029
[MINOR] Updated shiro.ini.template to include secure cookie option
### What is this PR for?
Based on discussion in https://github.com/apache/zeppelin/pull/2545 , I'm updating the shiro.ini.template to include secure cookie option. With this change, Zeppelin Shiro will always set 'HttpOnly' flag in cookie. This will help to prevent majority of cross-site scripting (XSS) attacks.
### What type of PR is it?
Minor Improvement
### What is the Jira issue?
Minor change in shiro.ini
### How should this be tested?
CI tests should pass
### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? Doc changes already done in https://github.com/apache/zeppelin/pull/2545
Author: Vipin Rathor <v....@gmail.com>
Closes #2550 from VipinRathor/fix-shiro-template and squashes the following commits:
6339243 [Vipin Rathor] Commenting out secure flag for Zeppelin cookies in shiro.ini.template Added description as well.
1da09cf [Vipin Rathor] [MINOR] Updated shiro.init.template to include secure cookie option
Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/2437c802
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/2437c802
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/2437c802
Branch: refs/heads/master
Commit: 2437c8029c1f84460932ec65833ada356c3fc461
Parents: 0091849
Author: Vipin Rathor <v....@gmail.com>
Authored: Fri Aug 25 00:26:05 2017 -0700
Committer: Lee moon soo <mo...@apache.org>
Committed: Thu Sep 28 21:38:36 2017 -0700
----------------------------------------------------------------------
conf/shiro.ini.template | 8 ++++++++
1 file changed, 8 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/2437c802/conf/shiro.ini.template
----------------------------------------------------------------------
diff --git a/conf/shiro.ini.template b/conf/shiro.ini.template
index 06ad971..756ba79 100644
--- a/conf/shiro.ini.template
+++ b/conf/shiro.ini.template
@@ -62,6 +62,14 @@ sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager
+### Enables 'HttpOnly' flag in Zeppelin cookies
+cookie = org.apache.shiro.web.servlet.SimpleCookie
+cookie.name = JSESSIONID
+cookie.httpOnly = true
+### Uncomment the below line only when Zeppelin is running over HTTPS
+#cookie.secure = true
+sessionManager.sessionIdCookie = $cookie
+
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000