hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "nijel (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-11677) Missing secure session attributed for log and static contexts
Date Thu, 05 Mar 2015 10:03:38 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-11677?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

nijel updated HADOOP-11677:
---------------------------
    Attachment: 001-HADOOP-11677.patch

attaching the patch with the change.
Please review if the change make sense.

> Missing secure session attributed for log and static contexts
> -------------------------------------------------------------
>
>                 Key: HADOOP-11677
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11677
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: nijel
>            Assignee: nijel
>         Attachments: 001-HADOOP-11677.patch
>
>
> In HTTPServer2.java for the default context the secure attributes are set.
> {code}
> SessionManager sm = webAppContext.getSessionHandler().getSessionManager();
>     if (sm instanceof AbstractSessionManager) {
>       AbstractSessionManager asm = (AbstractSessionManager)sm;
>       asm.setHttpOnly(true);
>       asm.setSecureCookies(true);
>     }
> {code}
> But when the contexts are created for /logs and /static, new contexts are created and
the session handler is assigned as null. 
> Here also the secure attributes needs to be set.
> Is it not done intentionally ? please give your thought
> Background 
> trying to add login action for HTTP pages. After this when security test tool is used,
it reports error for these 2 urls (/logs and /static).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message