You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@drill.apache.org by "Igor Guzenko (Jira)" <ji...@apache.org> on 2020/03/23 07:53:00 UTC

[jira] [Assigned] (DRILL-7648) Scrypt j_security_check works without security headers

     [ https://issues.apache.org/jira/browse/DRILL-7648?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Igor Guzenko reassigned DRILL-7648:
-----------------------------------

    Assignee: Igor Guzenko

> Scrypt j_security_check works without security headers 
> -------------------------------------------------------
>
>                 Key: DRILL-7648
>                 URL: https://issues.apache.org/jira/browse/DRILL-7648
>             Project: Apache Drill
>          Issue Type: Bug
>            Reporter: Dmytro Kondriukov
>            Assignee: Igor Guzenko
>            Priority: Major
>
> *Preconditions:*
> drill-override.conf
> {noformat}
> drill.exec: {
>   cluster-id: "drillbits1",
>   zk.connect: "localhost:5181"
>   impersonation: {
>         enabled: true,
>         max_chained_user_hops: 3
>         },
>     security: {
>         auth.mechanisms : ["PLAIN"],
>         },
>     security.user.auth: {
>     enabled: true,
>     packages += "org.apache.drill.exec.rpc.user.security",
>     impl: "pam4j",
>     pam_profiles: [ "sudo", "login" ]
>     }
>   http: {
>     ssl_enabled: true,.
>     jetty.server.response.headers: {
>       "X-XSS-Protection": "1; mode=block",
>       "X-Content-Type-Options": "nosniff",
>       "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
>       "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
>     }
>   }
> }
> {noformat}
> *Steps:*
> 1. Perform login to drillbit webUI
> 2. Check in browser console in tab "network" headers of resource https://node1.cluster.com:8047/j_security_check
> 3. Check section "response headers"
> *Expected result:* security headers are present
> *Actual result:* security headers are absent
> 4. Check section "Form Data"
> *Expected result:* parameter "j_password" content is hidden
> *Actual result:* parameter "j_password" content is visible



--
This message was sent by Atlassian Jira
(v8.3.4#803005)