You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by nc...@apache.org on 2016/10/13 12:43:14 UTC
[02/20] ambari git commit: AMBARI-17311. Modify HTTP headers to
follow best security practices (Sangeeta Ravindran via rlevas)
AMBARI-17311. Modify HTTP headers to follow best security practices (Sangeeta Ravindran via rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/34c5686c
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/34c5686c
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/34c5686c
Branch: refs/heads/branch-dev-patch-upgrade
Commit: 34c5686c3a0f80a5c7b78ddf05bb41cb13202438
Parents: a80c5a2
Author: Sangeeta Ravindran <sa...@gmail.com>
Authored: Mon Oct 10 11:05:40 2016 -0400
Committer: Robert Levas <rl...@hortonworks.com>
Committed: Mon Oct 10 11:09:58 2016 -0400
----------------------------------------------------------------------
ambari-server/conf/unix/ambari.properties | 6 +
ambari-server/conf/windows/ambari.properties | 6 +
.../server/configuration/Configuration.java | 135 +++++++++++++++++++
.../security/AbstractSecurityHeaderFilter.java | 43 ++++++
.../AmbariServerSecurityHeaderFilter.java | 3 +
.../AmbariViewsSecurityHeaderFilter.java | 3 +
.../AbstractSecurityHeaderFilterTest.java | 38 +++++-
.../AmbariServerSecurityHeaderFilterTest.java | 7 +
.../AmbariViewsSecurityHeaderFilterTest.java | 6 +
9 files changed, 246 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/conf/unix/ambari.properties
----------------------------------------------------------------------
diff --git a/ambari-server/conf/unix/ambari.properties b/ambari-server/conf/unix/ambari.properties
index 4dcbe99..371653f 100644
--- a/ambari-server/conf/unix/ambari.properties
+++ b/ambari-server/conf/unix/ambari.properties
@@ -113,11 +113,17 @@ rolling.upgrade.skip.packages.prefixes=
http.strict-transport-security=max-age=31536000
http.x-xss-protection=1; mode=block
http.x-frame-options=DENY
+http.x-content-type-options=nosniff
+http.cache-control=no-store
+http.pragma=no-cache
# HTTP Header settings for Ambari Views
views.http.strict-transport-security=max-age=31536000
views.http.x-xss-protection=1; mode=block
views.http.x-frame-options=SAMEORIGIN
+views.http.x-content-type-options=nosniff
+views.http.cache-control=no-store
+views.http.pragma=no-cache
mpacks.staging.path=$ROOT/var/lib/ambari-server/resources/mpacks
http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/conf/windows/ambari.properties
----------------------------------------------------------------------
diff --git a/ambari-server/conf/windows/ambari.properties b/ambari-server/conf/windows/ambari.properties
index 64cce3b..c1c0a99 100644
--- a/ambari-server/conf/windows/ambari.properties
+++ b/ambari-server/conf/windows/ambari.properties
@@ -93,10 +93,16 @@ ulimit.open.files=10000
http.strict-transport-security=max-age=31536000
http.x-xss-protection=1; mode=block
http.x-frame-options=DENY
+http.x-content-type-options=nosniff
+http.cache-control=no-store
+http.pragma=no-cache
# HTTP Header settings for Ambari Views
views.http.strict-transport-security=max-age=31536000
views.http.x-xss-protection=1; mode=block
views.http.x-frame-options=SAMEORIGIN
+views.http.x-content-type-options=nosniff
+views.http.cache-control=no-store
+views.http.pragma=no-cache
mpacks.staging.path=resources\\mpacks
http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index 2e850ef..e976f45 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -2182,6 +2182,27 @@ public class Configuration {
"http.x-xss-protection", "1; mode=block");
/**
+ * The value that will be used to set the {@code X-Content-Type} HTTP response header.
+ */
+ @Markdown(description = "The value that will be used to set the `X-CONTENT-TYPE` HTTP response header.")
+ public static final ConfigurationProperty<String> HTTP_X_CONTENT_TYPE_HEADER_VALUE = new ConfigurationProperty<>(
+ "http.x-content-type-options", "nosniff");
+
+ /**
+ * The value that will be used to set the {@code Cache-Control} HTTP response header.
+ */
+ @Markdown(description = "The value that will be used to set the `Cache-Control` HTTP response header.")
+ public static final ConfigurationProperty<String> HTTP_CACHE_CONTROL_HEADER_VALUE = new ConfigurationProperty<>(
+ "http.cache-control", "no-store");
+
+ /**
+ * The value that will be used to set the {@code PRAGMA} HTTP response header.
+ */
+ @Markdown(description = "The value that will be used to set the `PRAGMA` HTTP response header.")
+ public static final ConfigurationProperty<String> HTTP_PRAGMA_HEADER_VALUE = new ConfigurationProperty<>(
+ "http.pragma", "no-cache");
+
+ /**
* The value that will be used to set the {@code Strict-Transport-Security}
* HTTP response header for Ambari View requests.
*/
@@ -2207,6 +2228,30 @@ public class Configuration {
"views.http.x-xss-protection", "1; mode=block");
/**
+ * The value that will be used to set the {@code X-Content-Type} HTTP response header.
+ * HTTP response header for Ambari View requests.
+ */
+ @Markdown(description = "The value that will be used to set the `X-CONTENT-TYPE` HTTP response header for Ambari View requests.")
+ public static final ConfigurationProperty<String> VIEWS_HTTP_X_CONTENT_TYPE_HEADER_VALUE = new ConfigurationProperty<>(
+ "views.http.x-content-type-options", "nosniff");
+
+ /**
+ * The value that will be used to set the {@code Cache-Control} HTTP response header.
+ * HTTP response header for Ambari View requests.
+ */
+ @Markdown(description = "The value that will be used to set the `Cache-Control` HTTP response header for Ambari View requests.")
+ public static final ConfigurationProperty<String> VIEWS_HTTP_CACHE_CONTROL_HEADER_VALUE = new ConfigurationProperty<>(
+ "views.http.cache-control", "no-store");
+
+ /**
+ * The value that will be used to set the {@code PRAGMA} HTTP response header.
+ * HTTP response header for Ambari View requests.
+ */
+ @Markdown(description = "The value that will be used to set the `PRAGMA` HTTP response header for Ambari View requests.")
+ public static final ConfigurationProperty<String> VIEWS_HTTP_PRAGMA_HEADER_VALUE = new ConfigurationProperty<>(
+ "views.http.pragma", "no-cache");
+
+ /**
* The time, in milliseconds, that requests to connect to a URL to retrieve
* Version Definition Files (VDF) will wait before being terminated.
*/
@@ -3284,6 +3329,51 @@ public class Configuration {
}
/**
+ * Get the value that should be set for the <code>X-Content-Type</code> HTTP response header for Ambari Server UI.
+ * <p/>
+ * By default this will be <code>nosniff</code>. For example:
+ * <p/>
+ * <code>
+ * X-Content-Type: nosniff
+ * </code>
+ *
+ * @return the X-Content-Type value - null or "" indicates that the value is not set
+ */
+ public String getXContentTypeHTTPResponseHeader() {
+ return getProperty(HTTP_X_CONTENT_TYPE_HEADER_VALUE);
+ }
+
+ /**
+ * Get the value that should be set for the <code>Cache-Control</code> HTTP response header for Ambari Server UI.
+ * <p/>
+ * By default this will be <code>no-store</code>. For example:
+ * <p/>
+ * <code>
+ * Cache-control: no-store
+ * </code>
+ *
+ * @return the Cache-Control value - null or "" indicates that the value is not set
+ */
+ public String getCacheControlHTTPResponseHeader() {
+ return getProperty(HTTP_CACHE_CONTROL_HEADER_VALUE);
+ }
+
+ /**
+ * Get the value that should be set for the <code>Pragma</code> HTTP response header for Ambari Server UI.
+ * <p/>
+ * By default this will be <code>no-cache</code>. For example:
+ * <p/>
+ * <code>
+ * Pragma: no-cache
+ * </code>
+ *
+ * @return the Pragma value - null or "" indicates that the value is not set
+ */
+ public String getPragmaHTTPResponseHeader() {
+ return getProperty(HTTP_PRAGMA_HEADER_VALUE);
+ }
+
+ /**
* Get the value that should be set for the <code>Strict-Transport-Security</code> HTTP response header for Ambari Views.
* <p/>
* By default this will be <code>max-age=31536000; includeSubDomains</code>. For example:
@@ -3331,6 +3421,51 @@ public class Configuration {
}
/**
+ * Get the value that should be set for the <code>X-Content-Type</code> HTTP response header for Ambari Views.
+ * <p/>
+ * By default this will be <code>nosniff</code>. For example:
+ * <p/>
+ * <code>
+ * X-Content-Type: nosniff
+ * </code>
+ *
+ * @return the X-Content-Type value - null or "" indicates that the value is not set
+ */
+ public String getViewsXContentTypeHTTPResponseHeader() {
+ return getProperty(VIEWS_HTTP_X_CONTENT_TYPE_HEADER_VALUE);
+ }
+
+ /**
+ * Get the value that should be set for the <code>Cache-Control</code> HTTP response header for Ambari Views.
+ * <p/>
+ * By default this will be <code>no-store</code>. For example:
+ * <p/>
+ * <code>
+ * Cache-control: no-store
+ * </code>
+ *
+ * @return the Cache-Control value - null or "" indicates that the value is not set
+ */
+ public String getViewsCacheControlHTTPResponseHeader() {
+ return getProperty(VIEWS_HTTP_CACHE_CONTROL_HEADER_VALUE);
+ }
+
+ /**
+ * Get the value that should be set for the <code>Pragma</code> HTTP response header for Ambari Views.
+ * <p/>
+ * By default this will be <code>no-cache</code>. For example:
+ * <p/>
+ * <code>
+ * Pragma: no-cache
+ * </code>
+ *
+ * @return the Pragma value - null or "" indicates that the value is not set
+ */
+ public String getViewsPragmaHTTPResponseHeader() {
+ return getProperty(VIEWS_HTTP_PRAGMA_HEADER_VALUE);
+ }
+
+ /**
* Check to see if the hostname of the agent is to be validated as a proper hostname or not
*
* @return true if agent hostnames should be checked as a valid hostnames; otherwise false
http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java
index 05c9ecb..423a013 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java
@@ -53,6 +53,9 @@ public abstract class AbstractSecurityHeaderFilter implements Filter {
protected final static String STRICT_TRANSPORT_HEADER = "Strict-Transport-Security";
protected final static String X_FRAME_OPTIONS_HEADER = "X-Frame-Options";
protected final static String X_XSS_PROTECTION_HEADER = "X-XSS-Protection";
+ protected final static String X_CONTENT_TYPE_HEADER = "X-Content-Type-Options";
+ protected final static String CACHE_CONTROL_HEADER = "Cache-Control";
+ protected final static String PRAGMA_HEADER = "Pragma";
/**
* The logger.
@@ -87,6 +90,19 @@ public abstract class AbstractSecurityHeaderFilter implements Filter {
* The value for the X-XSS-Protection HTTP response header.
*/
private String xXSSProtectionHeader = Configuration.HTTP_X_XSS_PROTECTION_HEADER_VALUE.getDefaultValue();
+ /**
+ * The value for the Content-Type HTTP response header.
+ */
+ private String xContentTypeHeader = Configuration.HTTP_X_CONTENT_TYPE_HEADER_VALUE.getDefaultValue();
+ /**
+ * The value for the Cache-control HTTP response header.
+ */
+ private String cacheControlHeader = Configuration.HTTP_CACHE_CONTROL_HEADER_VALUE.getDefaultValue();
+ /**
+ * The value for the Pragma HTTP response header.
+ */
+ private String pragmaHeader = Configuration.HTTP_PRAGMA_HEADER_VALUE.getDefaultValue();
+
@Override
public void init(FilterConfig filterConfig) throws ServletException {
@@ -141,6 +157,18 @@ public abstract class AbstractSecurityHeaderFilter implements Filter {
this.xXSSProtectionHeader = xXSSProtectionHeader;
}
+ protected void setXContentTypeHeader(String xContentTypeHeader) {
+ this.xContentTypeHeader = xContentTypeHeader;
+ }
+
+ protected void setCacheControlHeader(String cacheControlHeader) {
+ this.cacheControlHeader = cacheControlHeader;
+ }
+
+ protected void setPragmaHeader(String pragmaHeader) {
+ this.pragmaHeader = pragmaHeader;
+ }
+
private void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse) {
if (servletResponse instanceof HttpServletResponse) {
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
@@ -159,6 +187,21 @@ public abstract class AbstractSecurityHeaderFilter implements Filter {
if (!StringUtils.isEmpty(xXSSProtectionHeader)) {
httpServletResponse.setHeader(X_XSS_PROTECTION_HEADER, xXSSProtectionHeader);
}
+
+ // Conditionally set the X-Content-Type HTTP response header if a value is supplied
+ if (!StringUtils.isEmpty(xContentTypeHeader)) {
+ httpServletResponse.setHeader(X_CONTENT_TYPE_HEADER, xContentTypeHeader);
+ }
+
+ // Conditionally set the X-Cache-Control HTTP response header if a value is supplied
+ if (!StringUtils.isEmpty(cacheControlHeader)) {
+ httpServletResponse.setHeader(CACHE_CONTROL_HEADER, cacheControlHeader);
+ }
+
+ // Conditionally set the X-Pragma HTTP response header if a value is supplied
+ if (!StringUtils.isEmpty(pragmaHeader)) {
+ httpServletResponse.setHeader(PRAGMA_HEADER, pragmaHeader);
+ }
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java
index b40953b..aa00ac2 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java
@@ -47,6 +47,9 @@ public class AmbariServerSecurityHeaderFilter extends AbstractSecurityHeaderFilt
setStrictTransportSecurity(configuration.getStrictTransportSecurityHTTPResponseHeader());
setxFrameOptionsHeader(configuration.getXFrameOptionsHTTPResponseHeader());
setxXSSProtectionHeader(configuration.getXXSSProtectionHTTPResponseHeader());
+ setXContentTypeHeader(configuration.getXContentTypeHTTPResponseHeader());
+ setCacheControlHeader(configuration.getCacheControlHTTPResponseHeader());
+ setPragmaHeader(configuration.getPragmaHTTPResponseHeader());
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java
index 5bff4e3..d1be8cc 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java
@@ -43,5 +43,8 @@ public class AmbariViewsSecurityHeaderFilter extends AbstractSecurityHeaderFilte
setStrictTransportSecurity(configuration.getViewsStrictTransportSecurityHTTPResponseHeader());
setxFrameOptionsHeader(configuration.getViewsXFrameOptionsHTTPResponseHeader());
setxXSSProtectionHeader(configuration.getViewsXXSSProtectionHTTPResponseHeader());
+ setXContentTypeHeader(configuration.getViewsXContentTypeHTTPResponseHeader());
+ setCacheControlHeader(configuration.getViewsCacheControlHTTPResponseHeader());
+ setPragmaHeader(configuration.getViewsPragmaHTTPResponseHeader());
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java
index 7be70a3..d812ee6 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java
@@ -95,7 +95,13 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport {
expectLastCall().once();
servletResponse.setHeader(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER));
expectLastCall().once();
-
+ servletResponse.setHeader(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER));
+ expectLastCall().once();
+ servletResponse.setHeader(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER));
+ expectLastCall().once();
+ servletResponse.setHeader(AbstractSecurityHeaderFilter.PRAGMA_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER));
+ expectLastCall().once();
+
FilterChain filterChain = createStrictMock(FilterChain.class);
filterChain.doFilter(servletRequest, servletResponse);
expectLastCall().once();
@@ -141,6 +147,12 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport {
expectLastCall().once();
servletResponse.setHeader(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER));
expectLastCall().once();
+ servletResponse.setHeader(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER));
+ expectLastCall().once();
+ servletResponse.setHeader(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER));
+ expectLastCall().once();
+ servletResponse.setHeader(AbstractSecurityHeaderFilter.PRAGMA_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER));
+ expectLastCall().once();
FilterChain filterChain = createStrictMock(FilterChain.class);
filterChain.doFilter(servletRequest, servletResponse);
@@ -171,6 +183,9 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport {
properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER), "custom1");
properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER), "custom2");
properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER), "custom3");
+ properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER), "custom4");
+ properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER), "custom5");
+ properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER), "custom6");
bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
bind(Configuration.class).toInstance(new Configuration(properties));
@@ -187,6 +202,12 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport {
expectLastCall().once();
servletResponse.setHeader(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, "custom3");
expectLastCall().once();
+ servletResponse.setHeader(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, "custom4");
+ expectLastCall().once();
+ servletResponse.setHeader(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, "custom5");
+ expectLastCall().once();
+ servletResponse.setHeader(AbstractSecurityHeaderFilter.PRAGMA_HEADER, "custom6");
+ expectLastCall().once();
FilterChain filterChain = createStrictMock(FilterChain.class);
filterChain.doFilter(servletRequest, servletResponse);
@@ -218,6 +239,9 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport {
properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER), "custom1");
properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER), "custom2");
properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER), "custom3");
+ properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER), "custom4");
+ properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER), "custom5");
+ properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER), "custom6");
bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
bind(Configuration.class).toInstance(new Configuration(properties));
@@ -236,6 +260,12 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport {
expectLastCall().once();
servletResponse.setHeader(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, "custom3");
expectLastCall().once();
+ servletResponse.setHeader(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, "custom4");
+ expectLastCall().once();
+ servletResponse.setHeader(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, "custom5");
+ expectLastCall().once();
+ servletResponse.setHeader(AbstractSecurityHeaderFilter.PRAGMA_HEADER, "custom6");
+ expectLastCall().once();
FilterChain filterChain = createStrictMock(FilterChain.class);
filterChain.doFilter(servletRequest, servletResponse);
@@ -266,6 +296,9 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport {
properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER), "");
properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER), "");
properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER), "");
+ properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER), "");
+ properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER), "");
+ properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER), "");
bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
bind(Configuration.class).toInstance(new Configuration(properties));
@@ -309,6 +342,9 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport {
properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER), "");
properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER), "");
properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER), "");
+ properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER), "");
+ properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER), "");
+ properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER), "");
bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
bind(Configuration.class).toInstance(new Configuration(properties));
http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java
index 6537130..7fa2386 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java
@@ -40,12 +40,19 @@ public class AmbariServerSecurityHeaderFilterTest extends AbstractSecurityHeader
map.put(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER, Configuration.HTTP_STRICT_TRANSPORT_HEADER_VALUE.getKey());
map.put(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER, Configuration.HTTP_X_FRAME_OPTIONS_HEADER_VALUE.getKey());
map.put(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, Configuration.HTTP_X_XSS_PROTECTION_HEADER_VALUE.getKey());
+ map.put(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, Configuration.HTTP_X_CONTENT_TYPE_HEADER_VALUE.getKey());
+ map.put(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, Configuration.HTTP_CACHE_CONTROL_HEADER_VALUE.getKey());
+ map.put(AbstractSecurityHeaderFilter.PRAGMA_HEADER, Configuration.HTTP_PRAGMA_HEADER_VALUE.getKey());
+
PROPERTY_NAME_MAP = Collections.unmodifiableMap(map);
map = new HashMap<String, String>();
map.put(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER, Configuration.HTTP_STRICT_TRANSPORT_HEADER_VALUE.getDefaultValue());
map.put(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER, Configuration.HTTP_X_FRAME_OPTIONS_HEADER_VALUE.getDefaultValue());
map.put(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, Configuration.HTTP_X_XSS_PROTECTION_HEADER_VALUE.getDefaultValue());
+ map.put(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, Configuration.HTTP_X_CONTENT_TYPE_HEADER_VALUE.getDefaultValue());
+ map.put(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, Configuration.HTTP_CACHE_CONTROL_HEADER_VALUE.getDefaultValue());
+ map.put(AbstractSecurityHeaderFilter.PRAGMA_HEADER, Configuration.HTTP_PRAGMA_HEADER_VALUE.getDefaultValue());
DEFAULT_PROPERTY_VALUE_MAP = Collections.unmodifiableMap(map);
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java
index c9d7974..d699ae0 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java
@@ -41,12 +41,18 @@ public class AmbariViewsSecurityHeaderFilterTest extends AbstractSecurityHeaderF
map.put(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER, Configuration.VIEWS_HTTP_STRICT_TRANSPORT_HEADER_VALUE.getKey());
map.put(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER, Configuration.VIEWS_HTTP_X_FRAME_OPTIONS_HEADER_VALUE.getKey());
map.put(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, Configuration.VIEWS_HTTP_X_XSS_PROTECTION_HEADER_VALUE.getKey());
+ map.put(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, Configuration.VIEWS_HTTP_X_CONTENT_TYPE_HEADER_VALUE.getKey());
+ map.put(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, Configuration.VIEWS_HTTP_CACHE_CONTROL_HEADER_VALUE.getKey());
+ map.put(AbstractSecurityHeaderFilter.PRAGMA_HEADER, Configuration.VIEWS_HTTP_PRAGMA_HEADER_VALUE.getKey());
PROPERTY_NAME_MAP = Collections.unmodifiableMap(map);
map = new HashMap<String, String>();
map.put(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER, Configuration.VIEWS_HTTP_STRICT_TRANSPORT_HEADER_VALUE.getDefaultValue());
map.put(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER, Configuration.VIEWS_HTTP_X_FRAME_OPTIONS_HEADER_VALUE.getDefaultValue());
map.put(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, Configuration.VIEWS_HTTP_X_XSS_PROTECTION_HEADER_VALUE.getDefaultValue());
+ map.put(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, Configuration.VIEWS_HTTP_X_CONTENT_TYPE_HEADER_VALUE.getDefaultValue());
+ map.put(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, Configuration.VIEWS_HTTP_CACHE_CONTROL_HEADER_VALUE.getDefaultValue());
+ map.put(AbstractSecurityHeaderFilter.PRAGMA_HEADER, Configuration.VIEWS_HTTP_PRAGMA_HEADER_VALUE.getDefaultValue());
DEFAULT_PROPERTY_VALUE_MAP = Collections.unmodifiableMap(map);
}