Return-Path: X-Original-To: apmail-ambari-dev-archive@www.apache.org Delivered-To: apmail-ambari-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B15BA187B3 for ; Tue, 13 Oct 2015 13:59:48 +0000 (UTC) Received: (qmail 20959 invoked by uid 500); 13 Oct 2015 13:59:48 -0000 Delivered-To: apmail-ambari-dev-archive@ambari.apache.org Received: (qmail 20928 invoked by uid 500); 13 Oct 2015 13:59:48 -0000 Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list dev@ambari.apache.org Received: (qmail 20912 invoked by uid 99); 13 Oct 2015 13:59:48 -0000 Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Oct 2015 13:59:48 +0000 Received: from reviews.apache.org (localhost [127.0.0.1]) by reviews.apache.org (Postfix) with ESMTP id 097B92770EE; Tue, 13 Oct 2015 13:59:46 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============5431410304929241022==" MIME-Version: 1.0 Subject: Re: Review Request 39251: Security-related HTTP headers should be set separately for Ambari Views then for Ambari server UI From: "Robert Levas" To: "Sid Wagle" , "Myroslav Papirkovskyy" , "Sumit Mohanty" , "Jonathan Hurley" Cc: "Robert Levas" , "Ambari" Date: Tue, 13 Oct 2015 13:59:46 -0000 Message-ID: <20151013135946.1509.21510@reviews.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: "Robert Levas" X-ReviewGroup: Ambari X-Auto-Response-Suppress: DR, RN, OOF, AutoReply X-ReviewRequest-URL: https://reviews.apache.org/r/39251/ X-Sender: "Robert Levas" References: <20151013003828.28636.88932@reviews.apache.org> In-Reply-To: <20151013003828.28636.88932@reviews.apache.org> Reply-To: "Robert Levas" X-ReviewRequest-Repository: ambari --===============5431410304929241022== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/39251/ ----------------------------------------------------------- (Updated Oct. 13, 2015, 9:59 a.m.) Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Sumit Mohanty, and Sid Wagle. Changes ------- Fixed unit test issue. Bugs: ABMARI-13351 https://issues.apache.org/jira/browse/ABMARI-13351 Repository: ambari Description ------- The security-related HTTP headers should be set separately for the Ambari Views then for the Ambari server UI. This is because they have different requirements. For example the Ambari server UI should not be allowed to execute in an iframe (by default) where Ambari View must be able to execute in an iframe invoked from the same origin. The relevant headers are: - Strict-Transport-Security - X-Frame-Options - X-XSS-Protection These headers should be configurable via the ambari.properties such that they may be turned on or off - and set to some custom value. The default value for this headers should be as follows: - Strict-Transport-Security: max-age=31536000 - X-Frame-Options: SAMEORIGIN - X-XSS-Protection: 1; mode=block Strict-Transport-Security should only be turned on if SSL is enabled. The relevant Ambari properties should be: - Strict-Transport-Security: views.http.strict-transport-security - X-Frame-Options: views.http.x-frame-options - X-XSS-Protection: views.http.x-xss-protection By setting any of these to be empty, the header is to be turned off (or not set). For example: #Sets Strict-Transport-Security to a custom value ``` views.http.strict-transport-security=max-age=31536000; includeSubDomains ``` #Turns Strict-Transport-Security off ``` views.http.strict-transport-security= ``` Diffs (updated) ----- ambari-server/conf/unix/ambari.properties 68cbf65 ambari-server/conf/windows/ambari.properties 6a98a63 ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java c653e1b ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariHandlerList.java 1265b6a ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 5974494 ambari-server/src/main/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilter.java PRE-CREATION ambari-server/src/main/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilter.java PRE-CREATION ambari-server/src/main/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilter.java PRE-CREATION ambari-server/src/main/java/org/apache/ambari/server/security/SecurityHeaderFilter.java a7479af ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariHandlerListTest.java a0cb8d0 ambari-server/src/test/java/org/apache/ambari/server/security/AbstractSecurityHeaderFilterTest.java PRE-CREATION ambari-server/src/test/java/org/apache/ambari/server/security/AmbariServerSecurityHeaderFilterTest.java PRE-CREATION ambari-server/src/test/java/org/apache/ambari/server/security/AmbariViewsSecurityHeaderFilterTest.java PRE-CREATION ambari-server/src/test/java/org/apache/ambari/server/security/SecurityHeaderFilterTest.java 5e8d2af Diff: https://reviews.apache.org/r/39251/diff/ Testing ------- Manually tested # Local test results: PASSED # Jenkins test result: PENDING Thanks, Robert Levas --===============5431410304929241022==--