You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Tom Beerbower <tb...@hortonworks.com> on 2015/05/14 15:22:07 UTC
Review Request 34212: Set HttpOnly and Secure flags for Ambari session
cookies
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34212/
-----------------------------------------------------------
Review request for Ambari, Jonathan Hurley and Nate Cole.
Bugs: AMBARI-11129
https://issues.apache.org/jira/browse/AMBARI-11129
Repository: ambari
Description
-------
Ambari should set the following flags for session cookies.
1) https://www.owasp.org/index.php/HttpOnly
2) https://www.owasp.org/index.php/SecureFlag
SecureFlag only needs to be set when people configure for Ambari HTTPS.
Requires changing to servlet 3.0 and Jetty 8.
Diffs
-----
ambari-project/pom.xml 378a998
ambari-server/pom.xml 8efd1ec
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 4207007
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 77f6d2c
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariSessionManager.java 721d95b
ambari-server/src/main/java/org/apache/ambari/server/controller/ControllerModule.java 432e41a
ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java afad6ce
ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariServerTest.java 484f398
ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariSessionManagerTest.java 058baa1
Diff: https://reviews.apache.org/r/34212/diff/
Testing
-------
Manual tested.
Added new unit tests.
mvn clean test
Thanks,
Tom Beerbower
Re: Review Request 34212: Set HttpOnly and Secure flags for Ambari
session cookies
Posted by Tom Beerbower <tb...@hortonworks.com>.
> On May 14, 2015, 4:06 p.m., Jonathan Hurley wrote:
> > ambari-project/pom.xml, line 237
> > <https://reviews.apache.org/r/34212/diff/1/?file=959251#file959251line237>
> >
> > Any reason we didn't go right to 9?
Thanks for reviewing!
I thought about it but decided that making a smaller jump would involve fewer changes and be less risky.
- Tom
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34212/#review83781
-----------------------------------------------------------
On May 14, 2015, 1:22 p.m., Tom Beerbower wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34212/
> -----------------------------------------------------------
>
> (Updated May 14, 2015, 1:22 p.m.)
>
>
> Review request for Ambari, Jonathan Hurley and Nate Cole.
>
>
> Bugs: AMBARI-11129
> https://issues.apache.org/jira/browse/AMBARI-11129
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Ambari should set the following flags for session cookies.
>
> 1) https://www.owasp.org/index.php/HttpOnly
> 2) https://www.owasp.org/index.php/SecureFlag
>
> SecureFlag only needs to be set when people configure for Ambari HTTPS.
>
>
> Requires changing to servlet 3.0 and Jetty 8.
>
>
> Diffs
> -----
>
> ambari-project/pom.xml 378a998
> ambari-server/pom.xml 8efd1ec
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 4207007
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 77f6d2c
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariSessionManager.java 721d95b
> ambari-server/src/main/java/org/apache/ambari/server/controller/ControllerModule.java 432e41a
> ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java afad6ce
> ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariServerTest.java 484f398
> ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariSessionManagerTest.java 058baa1
>
> Diff: https://reviews.apache.org/r/34212/diff/
>
>
> Testing
> -------
>
> Manual tested.
>
> Added new unit tests.
>
> mvn clean test
>
>
> Thanks,
>
> Tom Beerbower
>
>
Re: Review Request 34212: Set HttpOnly and Secure flags for Ambari
session cookies
Posted by Jonathan Hurley <jh...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34212/#review83781
-----------------------------------------------------------
Ship it!
ambari-project/pom.xml
<https://reviews.apache.org/r/34212/#comment134844>
Any reason we didn't go right to 9?
- Jonathan Hurley
On May 14, 2015, 9:22 a.m., Tom Beerbower wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34212/
> -----------------------------------------------------------
>
> (Updated May 14, 2015, 9:22 a.m.)
>
>
> Review request for Ambari, Jonathan Hurley and Nate Cole.
>
>
> Bugs: AMBARI-11129
> https://issues.apache.org/jira/browse/AMBARI-11129
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Ambari should set the following flags for session cookies.
>
> 1) https://www.owasp.org/index.php/HttpOnly
> 2) https://www.owasp.org/index.php/SecureFlag
>
> SecureFlag only needs to be set when people configure for Ambari HTTPS.
>
>
> Requires changing to servlet 3.0 and Jetty 8.
>
>
> Diffs
> -----
>
> ambari-project/pom.xml 378a998
> ambari-server/pom.xml 8efd1ec
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 4207007
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 77f6d2c
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariSessionManager.java 721d95b
> ambari-server/src/main/java/org/apache/ambari/server/controller/ControllerModule.java 432e41a
> ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java afad6ce
> ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariServerTest.java 484f398
> ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariSessionManagerTest.java 058baa1
>
> Diff: https://reviews.apache.org/r/34212/diff/
>
>
> Testing
> -------
>
> Manual tested.
>
> Added new unit tests.
>
> mvn clean test
>
>
> Thanks,
>
> Tom Beerbower
>
>