accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ctubb...@apache.org
Subject [1/7] accumulo git commit: ACCUMULO-4676 Use HTTPOnly flags in monitor
Date Wed, 05 Jul 2017 22:57:25 GMT
Repository: accumulo
Updated Branches:
  refs/heads/1.7 3d552ea41 -> 9e7e35842
  refs/heads/1.8 c78605dad -> fab55895a
  refs/heads/master 4cffe0290 -> e9573bf3b


ACCUMULO-4676 Use HTTPOnly flags in monitor

Add missing HTTPOnly flags on the JSESSIONID cookie in Monitor UI

This prevents certain kinds of XSS attacks by preventing
well-implemented browsers from allowing client-side code to access and
modify the JSESSIONID cookie.

This closes #278

Signed-off-by: Christopher Tubbs <ctubbsii@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/9e7e3584
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/9e7e3584
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/9e7e3584

Branch: refs/heads/1.7
Commit: 9e7e35842722b45b7bce0b13833d3dab0925e443
Parents: 3d552ea
Author: Toshihiro Suzuki <brfrn169@gmail.com>
Authored: Tue Jul 4 14:05:03 2017 +0900
Committer: Christopher Tubbs <ctubbsii@apache.org>
Committed: Wed Jul 5 18:29:02 2017 -0400

----------------------------------------------------------------------
 .../main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java   | 2 ++
 1 file changed, 2 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/9e7e3584/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java
----------------------------------------------------------------------
diff --git a/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java
b/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java
index f0213e7..d57b751 100644
--- a/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java
+++ b/server/monitor/src/main/java/org/apache/accumulo/monitor/EmbeddedWebServer.java
@@ -82,6 +82,8 @@ public class EmbeddedWebServer {
     connector.setPort(port);
 
     handler = new ServletContextHandler(server, "/", new SessionHandler(), new ConstraintSecurityHandler(),
null, null);
+    handler.getSessionHandler().getSessionManager().getSessionCookieConfig().setHttpOnly(true);
+
     disableTrace("/");
   }
 


Mime
View raw message