You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Haohui Mai (JIRA)" <ji...@apache.org> on 2015/11/23 04:51:11 UTC
[jira] [Updated] (HADOOP-11677) Add cookie flags for logs and
static contexts
[ https://issues.apache.org/jira/browse/HADOOP-11677?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Haohui Mai updated HADOOP-11677:
--------------------------------
Summary: Add cookie flags for logs and static contexts (was: Missing secure session attributed for log and static contexts)
> Add cookie flags for logs and static contexts
> ---------------------------------------------
>
> Key: HADOOP-11677
> URL: https://issues.apache.org/jira/browse/HADOOP-11677
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: nijel
> Assignee: nijel
> Labels: BB2015-05-TBR
> Attachments: 001-HADOOP-11677.patch, HADOOP-11677-2.patch, HADOOP-11677.1.patch
>
>
> In HTTPServer2.java for the default context the secure attributes are set.
> {code}
> SessionManager sm = webAppContext.getSessionHandler().getSessionManager();
> if (sm instanceof AbstractSessionManager) {
> AbstractSessionManager asm = (AbstractSessionManager)sm;
> asm.setHttpOnly(true);
> asm.setSecureCookies(true);
> }
> {code}
> But when the contexts are created for /logs and /static, new contexts are created and the session handler is assigned as null.
> Here also the secure attributes needs to be set.
> Is it not done intentionally ? please give your thought
> Background
> trying to add login action for HTTP pages. After this when security test tool is used, it reports error for these 2 urls (/logs and /static).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)