You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-dev@hadoop.apache.org by "nijel (JIRA)" <ji...@apache.org> on 2015/03/05 10:57:38 UTC

[jira] [Created] (HADOOP-11677) Missing secure session attributed for log and static contexts

nijel created HADOOP-11677:
------------------------------

             Summary: Missing secure session attributed for log and static contexts
                 Key: HADOOP-11677
                 URL: https://issues.apache.org/jira/browse/HADOOP-11677
             Project: Hadoop Common
          Issue Type: Bug
            Reporter: nijel


In HTTPServer2.java for the default context the secure attributes are set.
{code}
SessionManager sm = webAppContext.getSessionHandler().getSessionManager();
    if (sm instanceof AbstractSessionManager) {
      AbstractSessionManager asm = (AbstractSessionManager)sm;
      asm.setHttpOnly(true);
      asm.setSecureCookies(true);
    }
{code}

But when the contexts are created for /logs and /static, new contexts are created and the session handler is assigned as null. 

Here also the secure attributes needs to be set.

Is it not done intentionally ? please give your thought

Background 
trying to add login action for HTTP pages. After this when security test tool is used, it reports error for these 2 urls (/logs and /static).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)