Home Explore Help
Sign In
apache
/
ambari
mirror of https://gitee.com/freeshow_me/ambari
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

AMBARI-13304. Add security-related HTTP headers to Views to keep Ambari up to date with best-practices (rlevas)

Robert Levas 10 years ago
parent
071c2d527e
commit
2765b52d8b
2 changed files with 14 additions and 0 deletions
Split View Show Diff Stats
  1. 8 0
      ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java
  2. 6 0
      ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java

+ 8 - 0
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java
View File 

@@ -20,6 +20,7 @@ package org.apache.ambari.server.controller;
 
 import org.apache.ambari.server.api.AmbariPersistFilter;
 
 import org.apache.ambari.server.orm.entities.ViewEntity;
 
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 
+import org.apache.ambari.server.security.SecurityHeaderFilter;
 
 import org.apache.ambari.server.view.ViewContextImpl;
 
 import org.apache.ambari.server.view.ViewInstanceHandlerList;
 
 import org.apache.ambari.server.view.ViewRegistry;
 
@@ -93,6 +94,12 @@ public class AmbariHandlerList extends HandlerCollection implements ViewInstance
 
   @Inject
 
   DelegatingFilterProxy springSecurityFilter;
 
 
+  /**
 
+   * The security header filter - conditionlly adds security-related headers to the HTTP response.
 
+   */
 
+  @Inject
 
+  SecurityHeaderFilter securityHeaderFilter;
 
+
 
   /**
 
    * Mapping of view instance entities to handlers.
 
    */
 
@@ -234,6 +241,7 @@ public class AmbariHandlerList extends HandlerCollection implements ViewInstance
 
     webAppContext.setClassLoader(viewInstanceDefinition.getViewEntity().getClassLoader());
 
     webAppContext.setAttribute(ViewContext.CONTEXT_ATTRIBUTE, new ViewContextImpl(viewInstanceDefinition, viewRegistry));
 
     webAppContext.setSessionHandler(new SharedSessionHandler(sessionManager));
 
+    webAppContext.addFilter(new FilterHolder(securityHeaderFilter), "/*", AmbariServer.DISPATCHER_TYPES);
 
     webAppContext.addFilter(new FilterHolder(persistFilter), "/*", AmbariServer.DISPATCHER_TYPES);
 
     webAppContext.addFilter(new FilterHolder(springSecurityFilter), "/*", AmbariServer.DISPATCHER_TYPES);

+ 6 - 0
ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java
View File 

@@ -22,6 +22,7 @@ import org.apache.ambari.server.api.AmbariPersistFilter;
 
 import org.apache.ambari.server.orm.entities.ViewEntity;
 
 import org.apache.ambari.server.orm.entities.ViewInstanceEntity;
 
 import org.apache.ambari.server.orm.entities.ViewInstanceEntityTest;
 
+import org.apache.ambari.server.security.SecurityHeaderFilter;
 
 import org.apache.ambari.server.view.ViewRegistry;
 
 import org.easymock.Capture;
 
 import org.eclipse.jetty.server.Handler;
 
@@ -51,6 +52,7 @@ import static org.easymock.EasyMock.verify;
 
  */
 
 public class AmbariHandlerListTest {
 
 
+  private final SecurityHeaderFilter securityHeaderFilter = createNiceMock(SecurityHeaderFilter.class);
 
   private final AmbariPersistFilter persistFilter = createNiceMock(AmbariPersistFilter.class);
 
   private final DelegatingFilterProxy springSecurityFilter = createNiceMock(DelegatingFilterProxy.class);
 
 
@@ -66,9 +68,11 @@ public class AmbariHandlerListTest {
 
     expect(handler.getServer()).andReturn(server);
 
     handler.setServer(null);
 
 
+    Capture<FilterHolder> securityHeaderFilterCapture = new Capture<FilterHolder>();
 
     Capture<FilterHolder> persistFilterCapture = new Capture<FilterHolder>();
 
     Capture<FilterHolder> securityFilterCapture = new Capture<FilterHolder>();
 
 
+    handler.addFilter(capture(securityHeaderFilterCapture), eq("/*"), eq(AmbariServer.DISPATCHER_TYPES));
 
     handler.addFilter(capture(persistFilterCapture), eq("/*"), eq(AmbariServer.DISPATCHER_TYPES));
 
     handler.addFilter(capture(securityFilterCapture), eq("/*"), eq(AmbariServer.DISPATCHER_TYPES));
 
 
@@ -82,6 +86,7 @@ public class AmbariHandlerListTest {
 
 
     Assert.assertTrue(handlers.contains(handler));
 
 
+    Assert.assertEquals(securityHeaderFilter, securityHeaderFilterCapture.getValue().getFilter());
 
     Assert.assertEquals(persistFilter, persistFilterCapture.getValue().getFilter());
 
     Assert.assertEquals(springSecurityFilter, securityFilterCapture.getValue().getFilter());
 
 
@@ -155,6 +160,7 @@ public class AmbariHandlerListTest {
 
     AmbariHandlerList handlerList = new AmbariHandlerList();
 
 
     handlerList.webAppContextProvider = new HandlerProvider(handler);
 
+    handlerList.securityHeaderFilter = securityHeaderFilter;
 
     handlerList.persistFilter = persistFilter;
 
     handlerList.springSecurityFilter = springSecurityFilter;