sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sp...@apache.org
Subject sentry git commit: SENTRY-2068: Disable HTTP TRACE method from the Sentry Web Server (Sergio Pena, reviewed by Alexander Kolbasov, Na Li)
Date Wed, 22 Nov 2017 21:18:58 GMT
Repository: sentry
Updated Branches:
  refs/heads/master 03a872923 -> 6f398378c


SENTRY-2068: Disable HTTP TRACE method from the Sentry Web Server (Sergio Pena, reviewed by
Alexander Kolbasov, Na Li)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/6f398378
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/6f398378
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/6f398378

Branch: refs/heads/master
Commit: 6f398378c549e0aa0f681a538d575510694d39ad
Parents: 03a8729
Author: Sergio Pena <sergio.pena@cloudera.com>
Authored: Wed Nov 22 15:18:26 2017 -0600
Committer: Sergio Pena <sergio.pena@cloudera.com>
Committed: Wed Nov 22 15:18:26 2017 -0600

----------------------------------------------------------------------
 .../db/service/thrift/SentryWebServer.java      | 31 +++++++++++++++++++-
 .../thrift/TestSentryWebServerWithKerberos.java |  8 +++++
 .../thrift/TestSentryWebServerWithSSL.java      | 12 ++++++++
 .../TestSentryWebServerWithoutSecurity.java     |  8 +++++
 4 files changed, 58 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/6f398378/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
index 95b87ad..0e1f97e 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
@@ -39,6 +39,8 @@ import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
 import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.eclipse.jetty.security.ConstraintMapping;
+import org.eclipse.jetty.security.ConstraintSecurityHandler;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.Handler;
 import org.eclipse.jetty.server.HttpConfiguration;
@@ -54,6 +56,7 @@ import org.eclipse.jetty.servlet.FilterHolder;
 import org.eclipse.jetty.servlet.ServletContextHandler;
 import org.eclipse.jetty.servlet.ServletHolder;
 import org.eclipse.jetty.util.resource.Resource;
+import org.eclipse.jetty.util.security.Constraint;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -154,7 +157,33 @@ public class SentryWebServer {
       filterHolder.setInitParameters(loadWebAuthenticationConf(conf));
     }
 
-    server.setHandler(contextHandlerCollection);
+    server.setHandler(disableTraceMethod(contextHandlerCollection));
+  }
+
+  /**
+   * Disables the HTTP TRACE method request which leads to Cross-Site Tracking (XST) problems.
+   *
+   * To disable it, we need to wrap the Handler (which has the HTTP TRACE enabled) with
+   * a constraint that denies access to the HTTP TRACE method.
+   *
+   * @param handler The Handler which has the HTTP TRACE enabled.
+   * @return A new Handler wrapped with the HTTP TRACE constraint and the Handler passed
as parameter.
+   */
+  private Handler disableTraceMethod(Handler handler) {
+    Constraint disableTraceConstraint = new Constraint();
+    disableTraceConstraint.setName("Disable TRACE");
+    disableTraceConstraint.setAuthenticate(true);
+
+    ConstraintMapping mapping = new ConstraintMapping();
+    mapping.setConstraint(disableTraceConstraint);
+    mapping.setMethod("TRACE");
+    mapping.setPathSpec("/");
+
+    ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler();
+    constraintSecurityHandler.addConstraintMapping(mapping);
+    constraintSecurityHandler.setHandler(handler);
+
+    return constraintSecurityHandler;
   }
 
   public void start() throws Exception{

http://git-wip-us.apache.org/repos/asf/sentry/blob/6f398378/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
index 09ee6b4..8062cb0 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
@@ -164,4 +164,12 @@ public class TestSentryWebServerWithKerberos extends SentryServiceIntegrationBas
       }
     });
   }
+
+  @Test
+  public void testTraceIsDisabled() throws Exception {
+    final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort);
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    conn.setRequestMethod("TRACE");
+    Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
+  }
 }

http://git-wip-us.apache.org/repos/asf/sentry/blob/6f398378/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
index d1d0b4b..f921793 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
@@ -18,6 +18,7 @@
 package org.apache.sentry.provider.db.service.thrift;
 
 import com.google.common.io.Resources;
+import java.net.HttpURLConnection;
 import org.apache.commons.io.IOUtils;
 import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
 import org.junit.*;
@@ -49,4 +50,15 @@ public class TestSentryWebServerWithSSL extends SentryServiceIntegrationBase
{
     String response = IOUtils.toString(conn.getInputStream());
     Assert.assertEquals("pong\n", response);
   }
+
+  @Test
+  public void testTraceIsDisabled() throws Exception {
+    final URL url = new URL("https://"+ SERVER_HOST + ":" + webServerPort);
+    Properties systemProps = System.getProperties();
+    systemProps.put( "javax.net.ssl.trustStore", Resources.getResource("cacerts.jks").getPath());
+    System.setProperties(systemProps);
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    conn.setRequestMethod("TRACE");
+    Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
+  }
 }

http://git-wip-us.apache.org/repos/asf/sentry/blob/6f398378/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
index 4a913e5..6dd1804 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
@@ -84,4 +84,12 @@ public class TestSentryWebServerWithoutSecurity extends SentryServiceIntegration
     String defaultResponse = IOUtils.toString(conn.getInputStream());
     Assert.assertEquals(xmlResponse, defaultResponse);
   }
+
+  @Test
+  public void testTraceIsDisabled() throws Exception {
+    final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort);
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    conn.setRequestMethod("TRACE");
+    Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
+  }
 }


Mime
View raw message