You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2015/04/29 17:30:08 UTC

[jira] [Commented] (HADOOP-11677) Missing secure session attributed for log and static contexts

    [ https://issues.apache.org/jira/browse/HADOOP-11677?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14519557#comment-14519557 ] 

Hadoop QA commented on HADOOP-11677:
------------------------------------

\\
\\
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | pre-patch |  14m 34s | Pre-patch trunk compilation is healthy. |
| {color:green}+1{color} | @author |   0m  0s | The patch does not contain any @author tags. |
| {color:red}-1{color} | tests included |   0m  0s | The patch doesn't appear to include any new or modified tests.  Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. |
| {color:green}+1{color} | whitespace |   0m  0s | The patch has no lines that end in whitespace. |
| {color:red}-1{color} | javac |   0m 35s | The patch appears to cause the build to fail. |
\\
\\
|| Subsystem || Report/Notes ||
| Patch URL | http://issues.apache.org/jira/secure/attachment/12729185/HADOOP-11677.1.patch |
| Optional Tests | javadoc javac unit findbugs checkstyle |
| git revision | trunk / 8f82970 |
| Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/6214/console |


This message was automatically generated.

> Missing secure session attributed for log and static contexts
> -------------------------------------------------------------
>
>                 Key: HADOOP-11677
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11677
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: nijel
>            Assignee: nijel
>         Attachments: 001-HADOOP-11677.patch, HADOOP-11677.1.patch
>
>
> In HTTPServer2.java for the default context the secure attributes are set.
> {code}
> SessionManager sm = webAppContext.getSessionHandler().getSessionManager();
>     if (sm instanceof AbstractSessionManager) {
>       AbstractSessionManager asm = (AbstractSessionManager)sm;
>       asm.setHttpOnly(true);
>       asm.setSecureCookies(true);
>     }
> {code}
> But when the contexts are created for /logs and /static, new contexts are created and the session handler is assigned as null. 
> Here also the secure attributes needs to be set.
> Is it not done intentionally ? please give your thought
> Background 
> trying to add login action for HTTP pages. After this when security test tool is used, it reports error for these 2 urls (/logs and /static).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)