You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by mp...@apache.org on 2013/11/14 19:43:03 UTC

git commit: AMBARI-3766. Make backend changes for CSRF prevention. (mpapirkovskyy)

Updated Branches:
  refs/heads/trunk a4bd8e367 -> 2dc3e3e91


AMBARI-3766. Make backend changes for CSRF prevention. (mpapirkovskyy)


Project: http://git-wip-us.apache.org/repos/asf/incubator-ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ambari/commit/2dc3e3e9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ambari/tree/2dc3e3e9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ambari/diff/2dc3e3e9

Branch: refs/heads/trunk
Commit: 2dc3e3e91dcb3ceb44130f8eb6a97915038ff222
Parents: a4bd8e3
Author: Myroslav Papirkovskyy <mp...@hortonworks.com>
Authored: Thu Nov 14 18:26:57 2013 +0200
Committer: Myroslav Papirkovskyy <mp...@hortonworks.com>
Committed: Thu Nov 14 20:42:24 2013 +0200

----------------------------------------------------------------------
 .../ambari/server/configuration/Configuration.java       | 11 +++++++++++
 .../apache/ambari/server/controller/AmbariServer.java    |  6 ++++--
 2 files changed, 15 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/2dc3e3e9/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index cf749a9..027f585 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -57,6 +57,7 @@ public class Configuration {
   public static final String BOOTSTRAP_MASTER_HOSTNAME = "bootstrap.master_host_name";
   public static final String API_AUTHENTICATE = "api.authenticate";
   public static final String API_USE_SSL = "api.ssl";
+  public static final String API_CSRF_PREVENTION_KEY = "api.csrfPrevention.enabled";
   public static final String SRVR_TWO_WAY_SSL_KEY = "security.server.two_way_ssl";
   public static final String SRVR_TWO_WAY_SSL_PORT_KEY = "security.server.two_way_ssl.port";
   public static final String SRVR_ONE_WAY_SSL_PORT_KEY = "security.server.one_way_ssl.port";
@@ -198,6 +199,8 @@ public class Configuration {
   public static final String CLIENT_API_SSL_KEY_NAME_DEFAULT = "https.key";
   public static final String CLIENT_API_SSL_CRT_NAME_DEFAULT = "https.crt";
 
+  private static final String API_CSRF_PREVENTION_DEFAULT = "false"; //TODO should be set to true for release
+
   private static final String SRVR_CRT_PASS_FILE_DEFAULT ="pass.txt";
   private static final String SRVR_CRT_PASS_LEN_DEFAULT = "50";
   private static final String PASSPHRASE_ENV_DEFAULT = "AMBARI_PASSPHRASE";
@@ -494,6 +497,14 @@ public class Configuration {
   }
 
   /**
+   * Checks if CSRF protection enabled
+   * @return true if CSRF protection filter should be enabled
+   */
+  public boolean csrfProtectionEnabled() {
+    return "true".equalsIgnoreCase(properties.getProperty(API_CSRF_PREVENTION_KEY, API_CSRF_PREVENTION_DEFAULT));
+  }
+
+  /**
    * Gets client security type
    * @return appropriate ClientSecurityType
    */

http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/2dc3e3e9/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index 274647d..24e09bc 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -27,7 +27,6 @@ import java.util.Map;
 import org.apache.ambari.eventdb.webservice.WorkflowJsonService;
 import org.apache.ambari.server.AmbariException;
 import org.apache.ambari.server.actionmanager.ActionManager;
-import org.apache.ambari.server.actionmanager.ExecutionCommandWrapper;
 import org.apache.ambari.server.agent.HeartBeatHandler;
 import org.apache.ambari.server.agent.rest.AgentResource;
 import org.apache.ambari.server.api.AmbariPersistFilter;
@@ -42,7 +41,6 @@ import org.apache.ambari.server.configuration.Configuration;
 import org.apache.ambari.server.configuration.ComponentSSLConfiguration;
 import org.apache.ambari.server.orm.GuiceJpaInitializer;
 import org.apache.ambari.server.orm.PersistenceType;
-import org.apache.ambari.server.orm.dao.HostRoleCommandDAO;
 import org.apache.ambari.server.orm.dao.MetainfoDAO;
 import org.apache.ambari.server.resources.ResourceManager;
 import org.apache.ambari.server.resources.api.rest.GetResource;
@@ -253,6 +251,10 @@ public class AmbariServer {
               "org.apache.ambari.server.api");
       sh.setInitParameter("com.sun.jersey.api.json.POJOMappingFeature",
           "true");
+      if (configs.csrfProtectionEnabled()) {
+        sh.setInitParameter("com.sun.jersey.spi.container.ContainerRequestFilters",
+            "com.sun.jersey.api.container.filter.CsrfProtectionFilter");
+      }
       root.addServlet(sh, "/api/v1/*");
       sh.setInitOrder(2);