Home Explore Help
Register Sign In
apache
/
ambari
mirror of https://gitee.com/freeshow_me/ambari
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

AMBARI-3766. Make backend changes for CSRF prevention. (mpapirkovskyy)

Myroslav Papirkovskyy 11 years ago
parent
a4bd8e3673
commit
2dc3e3e91d
2 changed files with 15 additions and 2 deletions
Split View Show Diff Stats
  1. 11 0
      ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
  2. 4 2
      ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java

+ 11 - 0
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
View File 

@@ -57,6 +57,7 @@ public class Configuration {
 
   public static final String BOOTSTRAP_MASTER_HOSTNAME = "bootstrap.master_host_name";
 
   public static final String API_AUTHENTICATE = "api.authenticate";
 
   public static final String API_USE_SSL = "api.ssl";
 
+  public static final String API_CSRF_PREVENTION_KEY = "api.csrfPrevention.enabled";
 
   public static final String SRVR_TWO_WAY_SSL_KEY = "security.server.two_way_ssl";
 
   public static final String SRVR_TWO_WAY_SSL_PORT_KEY = "security.server.two_way_ssl.port";
 
   public static final String SRVR_ONE_WAY_SSL_PORT_KEY = "security.server.one_way_ssl.port";
 
@@ -198,6 +199,8 @@ public class Configuration {
 
   public static final String CLIENT_API_SSL_KEY_NAME_DEFAULT = "https.key";
 
   public static final String CLIENT_API_SSL_CRT_NAME_DEFAULT = "https.crt";
 
 
+  private static final String API_CSRF_PREVENTION_DEFAULT = "false"; //TODO should be set to true for release
 
+
 
   private static final String SRVR_CRT_PASS_FILE_DEFAULT ="pass.txt";
 
   private static final String SRVR_CRT_PASS_LEN_DEFAULT = "50";
 
   private static final String PASSPHRASE_ENV_DEFAULT = "AMBARI_PASSPHRASE";
 
@@ -493,6 +496,14 @@ public class Configuration {
 
     return configsMap;
 
   }
 
 
+  /**
 
+   * Checks if CSRF protection enabled
 
+   * @return true if CSRF protection filter should be enabled
 
+   */
 
+  public boolean csrfProtectionEnabled() {
 
+    return "true".equalsIgnoreCase(properties.getProperty(API_CSRF_PREVENTION_KEY, API_CSRF_PREVENTION_DEFAULT));
 
+  }
 
+
 
   /**
 
    * Gets client security type
 
    * @return appropriate ClientSecurityType

+ 4 - 2
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
View File 

@@ -27,7 +27,6 @@ import java.util.Map;
 
 import org.apache.ambari.eventdb.webservice.WorkflowJsonService;
 
 import org.apache.ambari.server.AmbariException;
 
 import org.apache.ambari.server.actionmanager.ActionManager;
 
-import org.apache.ambari.server.actionmanager.ExecutionCommandWrapper;
 
 import org.apache.ambari.server.agent.HeartBeatHandler;
 
 import org.apache.ambari.server.agent.rest.AgentResource;
 
 import org.apache.ambari.server.api.AmbariPersistFilter;
 
@@ -42,7 +41,6 @@ import org.apache.ambari.server.configuration.Configuration;
 
 import org.apache.ambari.server.configuration.ComponentSSLConfiguration;
 
 import org.apache.ambari.server.orm.GuiceJpaInitializer;
 
 import org.apache.ambari.server.orm.PersistenceType;
 
-import org.apache.ambari.server.orm.dao.HostRoleCommandDAO;
 
 import org.apache.ambari.server.orm.dao.MetainfoDAO;
 
 import org.apache.ambari.server.resources.ResourceManager;
 
 import org.apache.ambari.server.resources.api.rest.GetResource;
 
@@ -253,6 +251,10 @@ public class AmbariServer {
 
               "org.apache.ambari.server.api");
 
       sh.setInitParameter("com.sun.jersey.api.json.POJOMappingFeature",
 
           "true");
 
+      if (configs.csrfProtectionEnabled()) {
 
+        sh.setInitParameter("com.sun.jersey.spi.container.ContainerRequestFilters",
 
+            "com.sun.jersey.api.container.filter.CsrfProtectionFilter");
 
+      }
 
       root.addServlet(sh, "/api/v1/*");
 
       sh.setInitOrder(2);