You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "Igor Guzenko (Jira)" <ji...@apache.org> on 2020/03/23 07:53:00 UTC
[jira] [Assigned] (DRILL-7648) Scrypt j_security_check works
without security headers
[ https://issues.apache.org/jira/browse/DRILL-7648?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Guzenko reassigned DRILL-7648:
-----------------------------------
Assignee: Igor Guzenko
> Scrypt j_security_check works without security headers
> -------------------------------------------------------
>
> Key: DRILL-7648
> URL: https://issues.apache.org/jira/browse/DRILL-7648
> Project: Apache Drill
> Issue Type: Bug
> Reporter: Dmytro Kondriukov
> Assignee: Igor Guzenko
> Priority: Major
>
> *Preconditions:*
> drill-override.conf
> {noformat}
> drill.exec: {
> cluster-id: "drillbits1",
> zk.connect: "localhost:5181"
> impersonation: {
> enabled: true,
> max_chained_user_hops: 3
> },
> security: {
> auth.mechanisms : ["PLAIN"],
> },
> security.user.auth: {
> enabled: true,
> packages += "org.apache.drill.exec.rpc.user.security",
> impl: "pam4j",
> pam_profiles: [ "sudo", "login" ]
> }
> http: {
> ssl_enabled: true,.
> jetty.server.response.headers: {
> "X-XSS-Protection": "1; mode=block",
> "X-Content-Type-Options": "nosniff",
> "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
> "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
> }
> }
> }
> {noformat}
> *Steps:*
> 1. Perform login to drillbit webUI
> 2. Check in browser console in tab "network" headers of resource https://node1.cluster.com:8047/j_security_check
> 3. Check section "response headers"
> *Expected result:* security headers are present
> *Actual result:* security headers are absent
> 4. Check section "Form Data"
> *Expected result:* parameter "j_password" content is hidden
> *Actual result:* parameter "j_password" content is visible
--
This message was sent by Atlassian Jira
(v8.3.4#803005)