You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@drill.apache.org by ar...@apache.org on 2018/06/07 10:44:07 UTC
[drill] branch master updated: DRILL-6466: Add HttpOnly flag to
response cookies
This is an automated email from the ASF dual-hosted git repository.
arina pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/drill.git
The following commit(s) were added to refs/heads/master by this push:
new cd219ff DRILL-6466: Add HttpOnly flag to response cookies
cd219ff is described below
commit cd219ff2bcd0867c2fb4aa95d171cb3882d1245c
Author: Arina Ielchiieva <ar...@gmail.com>
AuthorDate: Tue Jun 5 17:35:24 2018 +0300
DRILL-6466: Add HttpOnly flag to response cookies
---
.../apache/drill/exec/server/rest/WebServer.java | 48 ++++------------------
1 file changed, 7 insertions(+), 41 deletions(-)
diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
index 09170a6..098845e 100644
--- a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
+++ b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
@@ -20,7 +20,6 @@ package org.apache.drill.exec.server.rest;
import com.codahale.metrics.MetricRegistry;
import com.codahale.metrics.servlets.MetricsServlet;
import com.codahale.metrics.servlets.ThreadDumpServlet;
-import com.google.common.collect.ImmutableSet;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.drill.common.config.DrillConfig;
@@ -31,7 +30,6 @@ import org.apache.drill.exec.exception.DrillbitStartupException;
import org.apache.drill.exec.server.BootStrapContext;
import org.apache.drill.exec.server.Drillbit;
import org.apache.drill.exec.server.rest.auth.DrillErrorHandler;
-import org.apache.drill.exec.server.rest.auth.DrillRestLoginService;
import org.apache.drill.exec.server.rest.auth.DrillHttpSecurityHandlerProvider;
import org.apache.drill.exec.ssl.SSLConfigBuilder;
import org.apache.drill.exec.work.WorkManager;
@@ -43,10 +41,7 @@ import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.eclipse.jetty.http.HttpVersion;
-import org.eclipse.jetty.security.ConstraintMapping;
-import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.SecurityHandler;
-import org.eclipse.jetty.security.authentication.FormAuthenticator;
import org.eclipse.jetty.security.authentication.SessionAuthentication;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
@@ -81,13 +76,8 @@ import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
-import java.util.Collections;
import java.util.Date;
import java.util.EnumSet;
-import java.util.Set;
-
-import static org.apache.drill.exec.server.rest.auth.DrillUserPrincipal.ADMIN_ROLE;
-import static org.apache.drill.exec.server.rest.auth.DrillUserPrincipal.AUTHENTICATED_ROLE;
/**
* Wrapper class around jetty based webserver.
@@ -96,37 +86,30 @@ public class WebServer implements AutoCloseable {
private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(WebServer.class);
private static final int PORT_HUNT_TRIES = 100;
+ private static final String BASE_STATIC_PATH = "/rest/static/";
+ private static final String DRILL_ICON_RESOURCE_RELATIVE_PATH = "img/drill.ico";
private final DrillConfig config;
-
private final MetricRegistry metrics;
-
private final WorkManager workManager;
-
- private final BootStrapContext context;
+ private final Drillbit drillbit;
private Server embeddedJetty;
- private final Drillbit drillbit;
-
/**
* Create Jetty based web server.
*
* @param context Bootstrap context.
* @param workManager WorkManager instance.
+ * @param drillbit Drillbit instance.
*/
public WebServer(final BootStrapContext context, final WorkManager workManager, final Drillbit drillbit) {
- this.context = context;
this.config = context.getConfig();
this.metrics = context.getMetrics();
this.workManager = workManager;
this.drillbit = drillbit;
}
- private static final String BASE_STATIC_PATH = "/rest/static/";
-
- private static final String DRILL_ICON_RESOURCE_RELATIVE_PATH = "img/drill.ico";
-
/**
* Checks if only impersonation is enabled.
*
@@ -140,7 +123,6 @@ public class WebServer implements AutoCloseable {
/**
* Start the web server including setup.
- * @throws Exception
*/
@SuppressWarnings("resource")
public void start() throws Exception {
@@ -175,7 +157,6 @@ public class WebServer implements AutoCloseable {
} catch (BindException e) {
if (portHunt) {
logger.info("Failed to start on port {}, trying port {}", port, ++port, e);
- continue;
} else {
throw e;
}
@@ -250,6 +231,8 @@ public class WebServer implements AutoCloseable {
private SessionHandler createSessionHandler(final SecurityHandler securityHandler) {
SessionManager sessionManager = new HashSessionManager();
sessionManager.setMaxInactiveInterval(config.getInt(ExecConstants.HTTP_SESSION_MAX_IDLE_SECS));
+ // response cookie will be returned with HttpOnly flag
+ sessionManager.getSessionCookieConfig().setHttpOnly(true);
sessionManager.addEventListener(new HttpSessionListener() {
@Override
public void sessionCreated(HttpSessionEvent se) {
@@ -285,21 +268,6 @@ public class WebServer implements AutoCloseable {
return new SessionHandler(sessionManager);
}
- /**
- * @return {@link SecurityHandler} with appropriate {@link LoginService}, {@link Authenticator} and constraints.
- */
- private ConstraintSecurityHandler createSecurityHandler() {
- ConstraintSecurityHandler security = new ConstraintSecurityHandler();
-
- Set<String> knownRoles = ImmutableSet.of(AUTHENTICATED_ROLE, ADMIN_ROLE);
- security.setConstraintMappings(Collections.<ConstraintMapping>emptyList(), knownRoles);
-
- security.setAuthenticator(new FormAuthenticator("/login", "/login", true));
- security.setLoginService(new DrillRestLoginService(workManager.getContext()));
-
- return security;
- }
-
public int getPort() {
if (!isRunning()) {
throw new UnsupportedOperationException("Http is not enabled");
@@ -331,7 +299,6 @@ public class WebServer implements AutoCloseable {
* they will be used else a self-signed certificate is generated and used.
*
* @return Initialized {@link ServerConnector} for HTTPS connections.
- * @throws Exception
*/
private ServerConnector createHttpsConnector(int port, int acceptors, int selectors) throws Exception {
logger.info("Setting up HTTPS connector for web server");
@@ -425,9 +392,8 @@ public class WebServer implements AutoCloseable {
* Create HTTP connector.
*
* @return Initialized {@link ServerConnector} instance for HTTP connections.
- * @throws Exception
*/
- private ServerConnector createHttpConnector(int port, int acceptors, int selectors) throws Exception {
+ private ServerConnector createHttpConnector(int port, int acceptors, int selectors) {
logger.info("Setting up HTTP connector for web server");
final HttpConfiguration httpConfig = new HttpConfiguration();
final ServerConnector httpConnector =
--
To stop receiving notification emails like this one, please contact
arina@apache.org.