You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by mp...@apache.org on 2013/11/14 19:43:03 UTC
git commit: AMBARI-3766. Make backend changes for CSRF prevention.
(mpapirkovskyy)
Updated Branches:
refs/heads/trunk a4bd8e367 -> 2dc3e3e91
AMBARI-3766. Make backend changes for CSRF prevention. (mpapirkovskyy)
Project: http://git-wip-us.apache.org/repos/asf/incubator-ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ambari/commit/2dc3e3e9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ambari/tree/2dc3e3e9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ambari/diff/2dc3e3e9
Branch: refs/heads/trunk
Commit: 2dc3e3e91dcb3ceb44130f8eb6a97915038ff222
Parents: a4bd8e3
Author: Myroslav Papirkovskyy <mp...@hortonworks.com>
Authored: Thu Nov 14 18:26:57 2013 +0200
Committer: Myroslav Papirkovskyy <mp...@hortonworks.com>
Committed: Thu Nov 14 20:42:24 2013 +0200
----------------------------------------------------------------------
.../ambari/server/configuration/Configuration.java | 11 +++++++++++
.../apache/ambari/server/controller/AmbariServer.java | 6 ++++--
2 files changed, 15 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/2dc3e3e9/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index cf749a9..027f585 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -57,6 +57,7 @@ public class Configuration {
public static final String BOOTSTRAP_MASTER_HOSTNAME = "bootstrap.master_host_name";
public static final String API_AUTHENTICATE = "api.authenticate";
public static final String API_USE_SSL = "api.ssl";
+ public static final String API_CSRF_PREVENTION_KEY = "api.csrfPrevention.enabled";
public static final String SRVR_TWO_WAY_SSL_KEY = "security.server.two_way_ssl";
public static final String SRVR_TWO_WAY_SSL_PORT_KEY = "security.server.two_way_ssl.port";
public static final String SRVR_ONE_WAY_SSL_PORT_KEY = "security.server.one_way_ssl.port";
@@ -198,6 +199,8 @@ public class Configuration {
public static final String CLIENT_API_SSL_KEY_NAME_DEFAULT = "https.key";
public static final String CLIENT_API_SSL_CRT_NAME_DEFAULT = "https.crt";
+ private static final String API_CSRF_PREVENTION_DEFAULT = "false"; //TODO should be set to true for release
+
private static final String SRVR_CRT_PASS_FILE_DEFAULT ="pass.txt";
private static final String SRVR_CRT_PASS_LEN_DEFAULT = "50";
private static final String PASSPHRASE_ENV_DEFAULT = "AMBARI_PASSPHRASE";
@@ -494,6 +497,14 @@ public class Configuration {
}
/**
+ * Checks if CSRF protection enabled
+ * @return true if CSRF protection filter should be enabled
+ */
+ public boolean csrfProtectionEnabled() {
+ return "true".equalsIgnoreCase(properties.getProperty(API_CSRF_PREVENTION_KEY, API_CSRF_PREVENTION_DEFAULT));
+ }
+
+ /**
* Gets client security type
* @return appropriate ClientSecurityType
*/
http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/2dc3e3e9/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index 274647d..24e09bc 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -27,7 +27,6 @@ import java.util.Map;
import org.apache.ambari.eventdb.webservice.WorkflowJsonService;
import org.apache.ambari.server.AmbariException;
import org.apache.ambari.server.actionmanager.ActionManager;
-import org.apache.ambari.server.actionmanager.ExecutionCommandWrapper;
import org.apache.ambari.server.agent.HeartBeatHandler;
import org.apache.ambari.server.agent.rest.AgentResource;
import org.apache.ambari.server.api.AmbariPersistFilter;
@@ -42,7 +41,6 @@ import org.apache.ambari.server.configuration.Configuration;
import org.apache.ambari.server.configuration.ComponentSSLConfiguration;
import org.apache.ambari.server.orm.GuiceJpaInitializer;
import org.apache.ambari.server.orm.PersistenceType;
-import org.apache.ambari.server.orm.dao.HostRoleCommandDAO;
import org.apache.ambari.server.orm.dao.MetainfoDAO;
import org.apache.ambari.server.resources.ResourceManager;
import org.apache.ambari.server.resources.api.rest.GetResource;
@@ -253,6 +251,10 @@ public class AmbariServer {
"org.apache.ambari.server.api");
sh.setInitParameter("com.sun.jersey.api.json.POJOMappingFeature",
"true");
+ if (configs.csrfProtectionEnabled()) {
+ sh.setInitParameter("com.sun.jersey.spi.container.ContainerRequestFilters",
+ "com.sun.jersey.api.container.filter.CsrfProtectionFilter");
+ }
root.addServlet(sh, "/api/v1/*");
sh.setInitOrder(2);