You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@storm.apache.org by pa...@apache.org on 2015/04/10 01:36:06 UTC
[2/3] storm git commit: STORM-749: Remove CSRF check.
STORM-749: Remove CSRF check.
Conflicts:
storm-core/src/ui/public/css/style.css
Project: http://git-wip-us.apache.org/repos/asf/storm/repo
Commit: http://git-wip-us.apache.org/repos/asf/storm/commit/8663fa6e
Tree: http://git-wip-us.apache.org/repos/asf/storm/tree/8663fa6e
Diff: http://git-wip-us.apache.org/repos/asf/storm/diff/8663fa6e
Branch: refs/heads/0.10.x-branch
Commit: 8663fa6e442c063ba994b347863618c937d269fc
Parents: 7fd76a0
Author: Parth Brahmbhatt <br...@gmail.com>
Authored: Thu Apr 2 18:13:18 2015 -0700
Committer: Parth Brahmbhatt <br...@gmail.com>
Committed: Tue Apr 7 10:47:53 2015 -0700
----------------------------------------------------------------------
STORM-UI-REST-API.md | 42 ----------------------
storm-core/pom.xml | 5 ---
storm-core/src/clj/backtype/storm/ui/core.clj | 13 ++-----
storm-core/src/ui/public/css/style.css | 6 +---
storm-core/src/ui/public/js/script.js | 3 +-
storm-core/src/ui/public/topology.html | 3 --
6 files changed, 4 insertions(+), 68 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/storm/blob/8663fa6e/STORM-UI-REST-API.md
----------------------------------------------------------------------
diff --git a/STORM-UI-REST-API.md b/STORM-UI-REST-API.md
index 8e9e67a..2836105 100644
--- a/STORM-UI-REST-API.md
+++ b/STORM-UI-REST-API.md
@@ -231,11 +231,6 @@ Response fields:
|bolts.errorLapsedSecs| Integer |Number of seconds elapsed since that last error happened in a bolt|
|bolts.errorWorkerLogLink| String | Link to the worker log that reported the exception |
|bolts.emitted| Long |Number of tuples emitted|
-|antiForgeryToken| String | CSRF token|
-
-Caution: users need to unescape the antiForgeryToken value before using this token to make POST calls(simple-json escapes forward slashes)
-[ISSUE-8](https://code.google.com/p/json-simple/issues/detail?id=8)
-
Examples:
@@ -578,44 +573,8 @@ Sample response:
}
```
-### /api/v1/token (GET)
-
-Returns a anti forgery token to use in POST calls
-
-Response fields:
-
-|Field |Value |Description|
-|antiForgeryToken| String | CSRF token|
-
-Sample response:
-
-```json
-{
- "antiForgeryToken": "Dygf1UHQF7qL0syKLTKEGSX5y0rZhhQTxS2f/WWwI2PhN1zmRdh8MQ1KTd5CXRmjMVmAJ43eklqYmvD5"
-}
-```
-
-
## POST Operations
-### Cross site request forgery (CSRF) prevention in POST requests
-
-In order to prevent CSRF vulnerability, the REST API uses a CSRF token. This is primarily done for the UI, however we
-do not have alternative APIs/paths for UI and non-UI clients.
-
-The token is generated during the `/api/v1/topology/:id` (GET) request. The JSON response for this GET request contains
-a field called "antiForgeryToken". All the post requests below must include a header "x-csrf-token" with the value of
-"antiForgeryToken" from the GET response. In absence of this header with the right token value you will get following
-error response:
-
-```
-{
- "error" : "Forbidden action.",
- "errorMessage" : "missing CSRF token."
-}
-```
-
-
### /api/v1/topology/:id/activate (POST)
Activates a topology.
@@ -667,7 +626,6 @@ Examples:
```no-highlight
curl -i -b ~/cookiejar.txt -c ~/cookiejar.txt -X POST
--H 'x-csrf-token:nRXggIDItGA/rxjPETo9ok65DM3rpQqOLoNwWXZWbGuaZZjtms5/tU+h36uQCR34z50DtFybkwh1ZB5e'
-H "Content-Type: application/json"
-d '{"rebalanceOptions": {"numWorkers": 2, "executors": { "spout" : "5", "split": 7, "count": 5 }}, "callback":"foo"}'
http://localhost:8080/api/v1/topology/wordcount-1-1420308665/rebalance/0
http://git-wip-us.apache.org/repos/asf/storm/blob/8663fa6e/storm-core/pom.xml
----------------------------------------------------------------------
diff --git a/storm-core/pom.xml b/storm-core/pom.xml
index 7f7b812..17e1a15 100644
--- a/storm-core/pom.xml
+++ b/storm-core/pom.xml
@@ -68,11 +68,6 @@
</dependency>
<dependency>
<groupId>ring</groupId>
- <artifactId>ring-anti-forgery</artifactId>
- <version>1.0.0</version>
- </dependency>
- <dependency>
- <groupId>ring</groupId>
<artifactId>ring-json</artifactId>
<version>0.3.1</version>
</dependency>
http://git-wip-us.apache.org/repos/asf/storm/blob/8663fa6e/storm-core/src/clj/backtype/storm/ui/core.clj
----------------------------------------------------------------------
diff --git a/storm-core/src/clj/backtype/storm/ui/core.clj b/storm-core/src/clj/backtype/storm/ui/core.clj
index c64f35d..7a475ad 100644
--- a/storm-core/src/clj/backtype/storm/ui/core.clj
+++ b/storm-core/src/clj/backtype/storm/ui/core.clj
@@ -23,7 +23,6 @@
(:use [backtype.storm.ui helpers])
(:use [backtype.storm.daemon [common :only [ACKER-COMPONENT-ID ACKER-INIT-STREAM-ID ACKER-ACK-STREAM-ID
ACKER-FAIL-STREAM-ID system-id? mk-authorization-handler]]])
- (:use [ring.middleware.anti-forgery])
(:use [clojure.string :only [blank? lower-case trim]])
(:import [backtype.storm.utils Utils])
(:import [backtype.storm.generated ExecutorSpecificStats
@@ -699,8 +698,7 @@
"spouts" (spout-comp id spout-comp-summs (.get_errors summ) window include-sys?)
"bolts" (bolt-comp id bolt-comp-summs (.get_errors summ) window include-sys?)
"configuration" topology-conf
- "visualizationTable" (stream-boxes visualizer-data)
- "antiForgeryToken" *anti-forgery-token*}))))
+ "visualizationTable" (stream-boxes visualizer-data)}))))
(defn spout-output-stats
[stream-summary window]
@@ -926,8 +924,6 @@
(let [user (.getUserName http-creds-handler servlet-request)]
(assert-authorized-user servlet-request "getTopology" (topology-config id))
(json-response (component-page id component (:window m) (check-include-sys? (:sys m)) user) (:callback m))))
- (GET "/api/v1/token" [ & m]
- (json-response (format "{\"antiForgeryToken\": \"%s\"}" *anti-forgery-token*) (:callback m) :serialize-fn identity))
(POST "/api/v1/topology/:id/activate" [:as {:keys [cookies servlet-request]} id & m]
(assert-authorized-user servlet-request "activate" (topology-config id))
(with-nimbus nimbus
@@ -938,7 +934,7 @@
name (.get_name tplg)]
(.activate nimbus name)
(log-message "Activating topology '" name "'")))
- (json-response (topology-op-response id "deactivate") (m "callback")))
+ (json-response (topology-op-response id "activate") (m "callback")))
(POST "/api/v1/topology/:id/deactivate" [:as {:keys [cookies servlet-request]} id & m]
(assert-authorized-user servlet-request "deactivate" (topology-config id))
(with-nimbus nimbus
@@ -1005,15 +1001,10 @@
(json-response (exception->json ex) ((:query-params request) "callback") :status 500)))))
-(def csrf-error-response
- (json-response {"error" "Forbidden action."
- "errorMessage" "missing CSRF token."} 403))
-
(def app
(handler/site (-> main-routes
(wrap-json-params)
(wrap-reload '[backtype.storm.ui.core])
- (wrap-anti-forgery {:error-response csrf-error-response})
catch-errors)))
(defn start-server!
http://git-wip-us.apache.org/repos/asf/storm/blob/8663fa6e/storm-core/src/ui/public/css/style.css
----------------------------------------------------------------------
diff --git a/storm-core/src/ui/public/css/style.css b/storm-core/src/ui/public/css/style.css
index df3d3db..1851f6a 100644
--- a/storm-core/src/ui/public/css/style.css
+++ b/storm-core/src/ui/public/css/style.css
@@ -22,8 +22,4 @@
#ui-user {
text-align: right;
padding: 0.5em;
-}
-
-.anti-forgery-token {
- visibility:hidden;
-}
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/storm/blob/8663fa6e/storm-core/src/ui/public/js/script.js
----------------------------------------------------------------------
diff --git a/storm-core/src/ui/public/js/script.js b/storm-core/src/ui/public/js/script.js
index 25822f5..73cfd7f 100644
--- a/storm-core/src/ui/public/js/script.js
+++ b/storm-core/src/ui/public/js/script.js
@@ -84,8 +84,7 @@ function ensureInt(n) {
function confirmAction(id, name, action, wait, defaultWait) {
var opts = {
type:'POST',
- url:'/api/v1/topology/' + id + '/' + action,
- headers: { 'x-csrf-token': $.trim($('#anti-forgery-token').text()) }
+ url:'/api/v1/topology/' + id + '/' + action
};
if (wait) {
var waitSecs = prompt('Do you really want to ' + action + ' topology "' + name + '"? ' +
http://git-wip-us.apache.org/repos/asf/storm/blob/8663fa6e/storm-core/src/ui/public/topology.html
----------------------------------------------------------------------
diff --git a/storm-core/src/ui/public/topology.html b/storm-core/src/ui/public/topology.html
index 4b2d841..7285f35 100644
--- a/storm-core/src/ui/public/topology.html
+++ b/storm-core/src/ui/public/topology.html
@@ -77,9 +77,6 @@
<div class="row">
<div id="json-response-error" class="col-md-12"></div>
</div>
- <div class="row">
- <div id="anti-forgery-token" class="anti-forgery-token col-md-12"></div>
- </div>
</div>
</body>
<script>