ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jonathanhur...@apache.org
Subject [04/11] ambari git commit: AMBARI-17311. Modify HTTP headers to follow best security practices (Sangeeta Ravindran via rlevas)
Date Tue, 11 Oct 2016 00:38:30 GMT
AMBARI-17311. Modify HTTP headers to follow best security practices (Sangeeta Ravindran via
rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/34c5686c
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/34c5686c
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/34c5686c

Branch: refs/heads/branch-feature-AMBARI-18456
Commit: 34c5686c3a0f80a5c7b78ddf05bb41cb13202438
Parents: a80c5a2
Author: Sangeeta Ravindran <sangeeta.e.ravindran@gmail.com>
Authored: Mon Oct 10 11:05:40 2016 -0400
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Mon Oct 10 11:09:58 2016 -0400

----------------------------------------------------------------------
 ambari-server/conf/unix/ambari.properties       |   6 +
 ambari-server/conf/windows/ambari.properties    |   6 +
 .../server/configuration/Configuration.java     | 135 +++++++++++++++++++
 .../security/AbstractSecurityHeaderFilter.java  |  43 ++++++
 .../AmbariServerSecurityHeaderFilter.java       |   3 +
 .../AmbariViewsSecurityHeaderFilter.java        |   3 +
 .../AbstractSecurityHeaderFilterTest.java       |  38 +++++-
 .../AmbariServerSecurityHeaderFilterTest.java   |   7 +
 .../AmbariViewsSecurityHeaderFilterTest.java    |   6 +
 9 files changed, 246 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/conf/unix/ambari.properties
----------------------------------------------------------------------
diff --git a/ambari-server/conf/unix/ambari.properties b/ambari-server/conf/unix/ambari.properties
index 4dcbe99..371653f 100644
--- a/ambari-server/conf/unix/ambari.properties
+++ b/ambari-server/conf/unix/ambari.properties
@@ -113,11 +113,17 @@ rolling.upgrade.skip.packages.prefixes=
 http.strict-transport-security=max-age=31536000
 http.x-xss-protection=1; mode=block
 http.x-frame-options=DENY
+http.x-content-type-options=nosniff
+http.cache-control=no-store
+http.pragma=no-cache
 
 # HTTP Header settings for Ambari Views
 views.http.strict-transport-security=max-age=31536000
 views.http.x-xss-protection=1; mode=block
 views.http.x-frame-options=SAMEORIGIN
+views.http.x-content-type-options=nosniff
+views.http.cache-control=no-store
+views.http.pragma=no-cache
 
 mpacks.staging.path=$ROOT/var/lib/ambari-server/resources/mpacks
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/conf/windows/ambari.properties
----------------------------------------------------------------------
diff --git a/ambari-server/conf/windows/ambari.properties b/ambari-server/conf/windows/ambari.properties
index 64cce3b..c1c0a99 100644
--- a/ambari-server/conf/windows/ambari.properties
+++ b/ambari-server/conf/windows/ambari.properties
@@ -93,10 +93,16 @@ ulimit.open.files=10000
 http.strict-transport-security=max-age=31536000
 http.x-xss-protection=1; mode=block
 http.x-frame-options=DENY
+http.x-content-type-options=nosniff
+http.cache-control=no-store
+http.pragma=no-cache
 
 # HTTP Header settings for Ambari Views
 views.http.strict-transport-security=max-age=31536000
 views.http.x-xss-protection=1; mode=block
 views.http.x-frame-options=SAMEORIGIN
+views.http.x-content-type-options=nosniff
+views.http.cache-control=no-store
+views.http.pragma=no-cache
 
 mpacks.staging.path=resources\\mpacks

http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index 2e850ef..e976f45 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -2182,6 +2182,27 @@ public class Configuration {
       "http.x-xss-protection", "1; mode=block");
 
   /**
+   * The value that will be used to set the {@code X-Content-Type} HTTP response header.
+   */
+  @Markdown(description = "The value that will be used to set the `X-CONTENT-TYPE` HTTP response
header.")
+  public static final ConfigurationProperty<String> HTTP_X_CONTENT_TYPE_HEADER_VALUE
= new ConfigurationProperty<>(
+      "http.x-content-type-options", "nosniff");
+
+  /**
+   * The value that will be used to set the {@code Cache-Control} HTTP response header.
+   */
+  @Markdown(description = "The value that will be used to set the `Cache-Control` HTTP response
header.")
+  public static final ConfigurationProperty<String> HTTP_CACHE_CONTROL_HEADER_VALUE
= new ConfigurationProperty<>(
+      "http.cache-control", "no-store");
+
+  /**
+   * The value that will be used to set the {@code PRAGMA} HTTP response header.
+   */
+  @Markdown(description = "The value that will be used to set the `PRAGMA` HTTP response
header.")
+  public static final ConfigurationProperty<String> HTTP_PRAGMA_HEADER_VALUE = new
ConfigurationProperty<>(
+      "http.pragma", "no-cache");
+
+  /**
    * The value that will be used to set the {@code Strict-Transport-Security}
    * HTTP response header for Ambari View requests.
    */
@@ -2207,6 +2228,30 @@ public class Configuration {
       "views.http.x-xss-protection", "1; mode=block");
 
   /**
+   * The value that will be used to set the {@code X-Content-Type} HTTP response header.
+   * HTTP response header for Ambari View requests.
+   */
+  @Markdown(description = "The value that will be used to set the `X-CONTENT-TYPE` HTTP response
header for Ambari View requests.")
+  public static final ConfigurationProperty<String> VIEWS_HTTP_X_CONTENT_TYPE_HEADER_VALUE
= new ConfigurationProperty<>(
+      "views.http.x-content-type-options", "nosniff");
+
+  /**
+   * The value that will be used to set the {@code Cache-Control} HTTP response header.
+   * HTTP response header for Ambari View requests.
+   */
+  @Markdown(description = "The value that will be used to set the `Cache-Control` HTTP response
header for Ambari View requests.")
+  public static final ConfigurationProperty<String> VIEWS_HTTP_CACHE_CONTROL_HEADER_VALUE
= new ConfigurationProperty<>(
+      "views.http.cache-control", "no-store");
+
+  /**
+   * The value that will be used to set the {@code PRAGMA} HTTP response header.
+   * HTTP response header for Ambari View requests.
+   */
+  @Markdown(description = "The value that will be used to set the `PRAGMA` HTTP response
header for Ambari View requests.")
+  public static final ConfigurationProperty<String> VIEWS_HTTP_PRAGMA_HEADER_VALUE
= new ConfigurationProperty<>(
+      "views.http.pragma", "no-cache");
+
+  /**
    * The time, in milliseconds, that requests to connect to a URL to retrieve
    * Version Definition Files (VDF) will wait before being terminated.
    */
@@ -3284,6 +3329,51 @@ public class Configuration {
   }
 
   /**
+   * Get the value that should be set for the <code>X-Content-Type</code> HTTP
response header for Ambari Server UI.
+   * <p/>
+   * By default this will be <code>nosniff</code>. For example:
+   * <p/>
+   * <code>
+   * X-Content-Type: nosniff
+   * </code>
+   *
+   * @return the X-Content-Type value - null or "" indicates that the value is not set
+   */
+  public String getXContentTypeHTTPResponseHeader() {
+    return getProperty(HTTP_X_CONTENT_TYPE_HEADER_VALUE);
+  }
+
+  /**
+   * Get the value that should be set for the <code>Cache-Control</code> HTTP
response header for Ambari Server UI.
+   * <p/>
+   * By default this will be <code>no-store</code>. For example:
+   * <p/>
+   * <code>
+   * Cache-control: no-store
+   * </code>
+   *
+   * @return the Cache-Control value - null or "" indicates that the value is not set
+   */
+  public String getCacheControlHTTPResponseHeader() {
+    return getProperty(HTTP_CACHE_CONTROL_HEADER_VALUE);
+  }
+
+  /**
+   * Get the value that should be set for the <code>Pragma</code> HTTP response
header for Ambari Server UI.
+   * <p/>
+   * By default this will be <code>no-cache</code>. For example:
+   * <p/>
+   * <code>
+   * Pragma: no-cache
+   * </code>
+   *
+   * @return the Pragma value - null or "" indicates that the value is not set
+   */
+  public String getPragmaHTTPResponseHeader() {
+    return getProperty(HTTP_PRAGMA_HEADER_VALUE);
+  }
+
+  /**
    * Get the value that should be set for the <code>Strict-Transport-Security</code>
HTTP response header for Ambari Views.
    * <p/>
    * By default this will be <code>max-age=31536000; includeSubDomains</code>.
For example:
@@ -3331,6 +3421,51 @@ public class Configuration {
   }
 
   /**
+   * Get the value that should be set for the <code>X-Content-Type</code> HTTP
response header for Ambari Views.
+   * <p/>
+   * By default this will be <code>nosniff</code>. For example:
+   * <p/>
+   * <code>
+   * X-Content-Type: nosniff
+   * </code>
+   *
+   * @return the X-Content-Type value - null or "" indicates that the value is not set
+   */
+  public String getViewsXContentTypeHTTPResponseHeader() {
+    return getProperty(VIEWS_HTTP_X_CONTENT_TYPE_HEADER_VALUE);
+  }
+
+  /**
+   * Get the value that should be set for the <code>Cache-Control</code> HTTP
response header for Ambari Views.
+   * <p/>
+   * By default this will be <code>no-store</code>. For example:
+   * <p/>
+   * <code>
+   * Cache-control: no-store
+   * </code>
+   *
+   * @return the Cache-Control value - null or "" indicates that the value is not set
+   */
+  public String getViewsCacheControlHTTPResponseHeader() {
+    return getProperty(VIEWS_HTTP_CACHE_CONTROL_HEADER_VALUE);
+  }
+
+  /**
+   * Get the value that should be set for the <code>Pragma</code> HTTP response
header for Ambari Views.
+   * <p/>
+   * By default this will be <code>no-cache</code>. For example:
+   * <p/>
+   * <code>
+   * Pragma: no-cache
+   * </code>
+   *
+   * @return the Pragma value - null or "" indicates that the value is not set
+   */
+  public String getViewsPragmaHTTPResponseHeader() {
+    return getProperty(VIEWS_HTTP_PRAGMA_HEADER_VALUE);
+  }
+
+  /**
    * Check to see if the hostname of the agent is to be validated as a proper hostname or
not
    *
    * @return true if agent hostnames should be checked as a valid hostnames; otherwise false

http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java
index 05c9ecb..423a013 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java
@@ -53,6 +53,9 @@ public abstract class AbstractSecurityHeaderFilter implements Filter {
   protected final static String STRICT_TRANSPORT_HEADER = "Strict-Transport-Security";
   protected final static String X_FRAME_OPTIONS_HEADER = "X-Frame-Options";
   protected final static String X_XSS_PROTECTION_HEADER = "X-XSS-Protection";
+  protected final static String X_CONTENT_TYPE_HEADER = "X-Content-Type-Options";
+  protected final static String CACHE_CONTROL_HEADER = "Cache-Control";
+  protected final static String PRAGMA_HEADER = "Pragma";
 
   /**
    * The logger.
@@ -87,6 +90,19 @@ public abstract class AbstractSecurityHeaderFilter implements Filter {
    * The value for the X-XSS-Protection HTTP response header.
    */
   private String xXSSProtectionHeader = Configuration.HTTP_X_XSS_PROTECTION_HEADER_VALUE.getDefaultValue();
+  /**
+   * The value for the Content-Type HTTP response header.
+   */
+  private String xContentTypeHeader = Configuration.HTTP_X_CONTENT_TYPE_HEADER_VALUE.getDefaultValue();
+  /**
+   * The value for the Cache-control HTTP response header.
+   */
+  private String cacheControlHeader = Configuration.HTTP_CACHE_CONTROL_HEADER_VALUE.getDefaultValue();
+  /**
+   * The value for the Pragma HTTP response header.
+   */
+  private String pragmaHeader = Configuration.HTTP_PRAGMA_HEADER_VALUE.getDefaultValue();
+
 
   @Override
   public void init(FilterConfig filterConfig) throws ServletException {
@@ -141,6 +157,18 @@ public abstract class AbstractSecurityHeaderFilter implements Filter
{
     this.xXSSProtectionHeader = xXSSProtectionHeader;
   }
 
+  protected void setXContentTypeHeader(String xContentTypeHeader) {
+    this.xContentTypeHeader = xContentTypeHeader;
+  }
+
+  protected void setCacheControlHeader(String cacheControlHeader) {
+    this.cacheControlHeader = cacheControlHeader;
+  }
+
+  protected void setPragmaHeader(String pragmaHeader) {
+    this.pragmaHeader = pragmaHeader;
+  }
+
   private void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse)
{
     if (servletResponse instanceof HttpServletResponse) {
       HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
@@ -159,6 +187,21 @@ public abstract class AbstractSecurityHeaderFilter implements Filter
{
       if (!StringUtils.isEmpty(xXSSProtectionHeader)) {
         httpServletResponse.setHeader(X_XSS_PROTECTION_HEADER, xXSSProtectionHeader);
       }
+
+      // Conditionally set the X-Content-Type HTTP response header if a value is supplied
+      if (!StringUtils.isEmpty(xContentTypeHeader)) {
+        httpServletResponse.setHeader(X_CONTENT_TYPE_HEADER, xContentTypeHeader);
+      }
+
+      // Conditionally set the X-Cache-Control HTTP response header if a value is supplied
+      if (!StringUtils.isEmpty(cacheControlHeader)) {
+        httpServletResponse.setHeader(CACHE_CONTROL_HEADER, cacheControlHeader);
+      }
+
+      // Conditionally set the X-Pragma HTTP response header if a value is supplied
+      if (!StringUtils.isEmpty(pragmaHeader)) {
+        httpServletResponse.setHeader(PRAGMA_HEADER, pragmaHeader);
+      }
     }
   }
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java
index b40953b..aa00ac2 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java
@@ -47,6 +47,9 @@ public class AmbariServerSecurityHeaderFilter extends AbstractSecurityHeaderFilt
     setStrictTransportSecurity(configuration.getStrictTransportSecurityHTTPResponseHeader());
     setxFrameOptionsHeader(configuration.getXFrameOptionsHTTPResponseHeader());
     setxXSSProtectionHeader(configuration.getXXSSProtectionHTTPResponseHeader());
+    setXContentTypeHeader(configuration.getXContentTypeHTTPResponseHeader());
+    setCacheControlHeader(configuration.getCacheControlHTTPResponseHeader());
+    setPragmaHeader(configuration.getPragmaHTTPResponseHeader());
   }
 
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java
index 5bff4e3..d1be8cc 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java
@@ -43,5 +43,8 @@ public class AmbariViewsSecurityHeaderFilter extends AbstractSecurityHeaderFilte
     setStrictTransportSecurity(configuration.getViewsStrictTransportSecurityHTTPResponseHeader());
     setxFrameOptionsHeader(configuration.getViewsXFrameOptionsHTTPResponseHeader());
     setxXSSProtectionHeader(configuration.getViewsXXSSProtectionHTTPResponseHeader());
+    setXContentTypeHeader(configuration.getViewsXContentTypeHTTPResponseHeader());
+    setCacheControlHeader(configuration.getViewsCacheControlHTTPResponseHeader());
+    setPragmaHeader(configuration.getViewsPragmaHTTPResponseHeader());
   }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java
index 7be70a3..d812ee6 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java
@@ -95,7 +95,13 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport
{
     expectLastCall().once();
     servletResponse.setHeader(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER));
     expectLastCall().once();
-
+    servletResponse.setHeader(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER));
+    expectLastCall().once();
+    servletResponse.setHeader(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER));
+    expectLastCall().once();        
+    servletResponse.setHeader(AbstractSecurityHeaderFilter.PRAGMA_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER));
+    expectLastCall().once();
+    
     FilterChain filterChain = createStrictMock(FilterChain.class);
     filterChain.doFilter(servletRequest, servletResponse);
     expectLastCall().once();
@@ -141,6 +147,12 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport
{
     expectLastCall().once();
     servletResponse.setHeader(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER));
     expectLastCall().once();
+    servletResponse.setHeader(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER));
+    expectLastCall().once();
+    servletResponse.setHeader(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER));
+    expectLastCall().once();
+    servletResponse.setHeader(AbstractSecurityHeaderFilter.PRAGMA_HEADER, defatulPropertyValueMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER));
+    expectLastCall().once();
 
     FilterChain filterChain = createStrictMock(FilterChain.class);
     filterChain.doFilter(servletRequest, servletResponse);
@@ -171,6 +183,9 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport
{
         properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER),
"custom1");
         properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER),
"custom2");
         properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER),
"custom3");
+        properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER),
"custom4");
+        properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER),
"custom5");
+        properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER),
"custom6");
 
         bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
         bind(Configuration.class).toInstance(new Configuration(properties));
@@ -187,6 +202,12 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport
{
     expectLastCall().once();
     servletResponse.setHeader(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, "custom3");
     expectLastCall().once();
+    servletResponse.setHeader(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, "custom4");
+    expectLastCall().once();
+    servletResponse.setHeader(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, "custom5");
+    expectLastCall().once();
+    servletResponse.setHeader(AbstractSecurityHeaderFilter.PRAGMA_HEADER, "custom6");
+    expectLastCall().once();
 
     FilterChain filterChain = createStrictMock(FilterChain.class);
     filterChain.doFilter(servletRequest, servletResponse);
@@ -218,6 +239,9 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport
{
         properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER),
"custom1");
         properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER),
"custom2");
         properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER),
"custom3");
+        properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER),
"custom4");
+        properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER),
"custom5");
+        properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER),
"custom6");
 
         bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
         bind(Configuration.class).toInstance(new Configuration(properties));
@@ -236,6 +260,12 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport
{
     expectLastCall().once();
     servletResponse.setHeader(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, "custom3");
     expectLastCall().once();
+    servletResponse.setHeader(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, "custom4");
+    expectLastCall().once();
+    servletResponse.setHeader(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, "custom5");
+    expectLastCall().once();
+    servletResponse.setHeader(AbstractSecurityHeaderFilter.PRAGMA_HEADER, "custom6");
+    expectLastCall().once();
 
     FilterChain filterChain = createStrictMock(FilterChain.class);
     filterChain.doFilter(servletRequest, servletResponse);
@@ -266,6 +296,9 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport
{
         properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER),
"");
         properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER),
"");
         properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER),
"");
+        properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER),
"");
+        properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER),
"");
+        properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER),
"");
 
         bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
         bind(Configuration.class).toInstance(new Configuration(properties));
@@ -309,6 +342,9 @@ public abstract class AbstractSecurityHeaderFilterTest extends EasyMockSupport
{
         properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER),
"");
         properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER),
"");
         properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER),
"");
+        properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER),
"");
+        properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER),
"");
+        properties.setProperty(propertyNameMap.get(AbstractSecurityHeaderFilter.PRAGMA_HEADER),
"");
 
         bind(OsFamily.class).toInstance(createNiceMock(OsFamily.class));
         bind(Configuration.class).toInstance(new Configuration(properties));

http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java
index 6537130..7fa2386 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java
@@ -40,12 +40,19 @@ public class AmbariServerSecurityHeaderFilterTest extends AbstractSecurityHeader
     map.put(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER, Configuration.HTTP_STRICT_TRANSPORT_HEADER_VALUE.getKey());
     map.put(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER, Configuration.HTTP_X_FRAME_OPTIONS_HEADER_VALUE.getKey());
     map.put(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, Configuration.HTTP_X_XSS_PROTECTION_HEADER_VALUE.getKey());
+    map.put(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, Configuration.HTTP_X_CONTENT_TYPE_HEADER_VALUE.getKey());
+    map.put(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, Configuration.HTTP_CACHE_CONTROL_HEADER_VALUE.getKey());
+    map.put(AbstractSecurityHeaderFilter.PRAGMA_HEADER, Configuration.HTTP_PRAGMA_HEADER_VALUE.getKey());
+
     PROPERTY_NAME_MAP = Collections.unmodifiableMap(map);
 
     map = new HashMap<String, String>();
     map.put(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER, Configuration.HTTP_STRICT_TRANSPORT_HEADER_VALUE.getDefaultValue());
     map.put(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER, Configuration.HTTP_X_FRAME_OPTIONS_HEADER_VALUE.getDefaultValue());
     map.put(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, Configuration.HTTP_X_XSS_PROTECTION_HEADER_VALUE.getDefaultValue());
+    map.put(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, Configuration.HTTP_X_CONTENT_TYPE_HEADER_VALUE.getDefaultValue());
+    map.put(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, Configuration.HTTP_CACHE_CONTROL_HEADER_VALUE.getDefaultValue());
+    map.put(AbstractSecurityHeaderFilter.PRAGMA_HEADER, Configuration.HTTP_PRAGMA_HEADER_VALUE.getDefaultValue());
     DEFAULT_PROPERTY_VALUE_MAP = Collections.unmodifiableMap(map);
   }
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/34c5686c/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java
index c9d7974..d699ae0 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java
@@ -41,12 +41,18 @@ public class AmbariViewsSecurityHeaderFilterTest extends AbstractSecurityHeaderF
     map.put(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER, Configuration.VIEWS_HTTP_STRICT_TRANSPORT_HEADER_VALUE.getKey());
     map.put(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER, Configuration.VIEWS_HTTP_X_FRAME_OPTIONS_HEADER_VALUE.getKey());
     map.put(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, Configuration.VIEWS_HTTP_X_XSS_PROTECTION_HEADER_VALUE.getKey());
+    map.put(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, Configuration.VIEWS_HTTP_X_CONTENT_TYPE_HEADER_VALUE.getKey());
+    map.put(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, Configuration.VIEWS_HTTP_CACHE_CONTROL_HEADER_VALUE.getKey());
+    map.put(AbstractSecurityHeaderFilter.PRAGMA_HEADER, Configuration.VIEWS_HTTP_PRAGMA_HEADER_VALUE.getKey());
     PROPERTY_NAME_MAP = Collections.unmodifiableMap(map);
 
     map = new HashMap<String, String>();
     map.put(AbstractSecurityHeaderFilter.STRICT_TRANSPORT_HEADER, Configuration.VIEWS_HTTP_STRICT_TRANSPORT_HEADER_VALUE.getDefaultValue());
     map.put(AbstractSecurityHeaderFilter.X_FRAME_OPTIONS_HEADER, Configuration.VIEWS_HTTP_X_FRAME_OPTIONS_HEADER_VALUE.getDefaultValue());
     map.put(AbstractSecurityHeaderFilter.X_XSS_PROTECTION_HEADER, Configuration.VIEWS_HTTP_X_XSS_PROTECTION_HEADER_VALUE.getDefaultValue());
+    map.put(AbstractSecurityHeaderFilter.X_CONTENT_TYPE_HEADER, Configuration.VIEWS_HTTP_X_CONTENT_TYPE_HEADER_VALUE.getDefaultValue());
+    map.put(AbstractSecurityHeaderFilter.CACHE_CONTROL_HEADER, Configuration.VIEWS_HTTP_CACHE_CONTROL_HEADER_VALUE.getDefaultValue());
+    map.put(AbstractSecurityHeaderFilter.PRAGMA_HEADER, Configuration.VIEWS_HTTP_PRAGMA_HEADER_VALUE.getDefaultValue());
     DEFAULT_PROPERTY_VALUE_MAP = Collections.unmodifiableMap(map);
   }
 


Mime
View raw message