hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Juan Yu (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-10710) hadoop.auth cookie is not properly constructed according to RFC2109
Date Wed, 18 Jun 2014 04:46:12 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-10710?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Juan Yu updated HADOOP-10710:
-----------------------------

    Attachment: HADOOP-10710.001.patch

I use HttpCookie class to get the cookie string so it will be quoted properly. then still
manually construct the whole cookie so we could keep both secure and httponly flag. Cookie
class doesn't support HttpOnly flag.
I think there is a bug in HttpCookie class, it doesn't remove double quote for empty token
when calling HttpCookie#getValue() so I handle empty token separately.

> hadoop.auth cookie is not properly constructed according to RFC2109
> -------------------------------------------------------------------
>
>                 Key: HADOOP-10710
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10710
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Juan Yu
>         Attachments: HADOOP-10710.001.patch
>
>
> It seems that HADOOP-10379 introduced a bug on how hadoop.auth cookies are being constructed.
> Before HADOOP-10379, cookies were constructed using Servlet's {{Cookie}} class and corresponding
{{HttpServletResponse}} methods. This was taking care of setting attributes like 'Version=1'
and double-quoting the cookie value if necessary.
> HADOOP-10379 changed the Cookie creation to use a {{StringBuillder}} and setting values
and attributes by hand. This is not taking care of setting required attributes like Version
and escaping the cookie value.
> While this is not breaking HadoopAuth {{AuthenticatedURL}} access, it is breaking access
done using {{HtttpClient}}. I.e. Solr uses HttpClient and its access is broken since this
change.
> It seems that HADOOP-10379 main objective was to set the 'secure' attribute. Note this
can be done using the {{Cookie}} API.
> We should revert the cookie creation logic to use the {{Cookie}} API and take care of
the security flag via {{setSecure(boolean)}}.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message