From 298b174f663a06e67098f7b5cd645769c1a98a80 Mon Sep 17 00:00:00 2001 From: Wangda Tan Date: Thu, 19 Oct 2017 14:44:42 -0700 Subject: [PATCH] YARN-7338. Support same origin policy for cross site scripting prevention. (Sunil G via wangda) --- .../apache/hadoop/yarn/webapp/WebApps.java | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java index 9c5e8c3b81..4f1cacf3aa 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApps.java @@ -401,6 +401,7 @@ public class WebApps { WebApp webApp = build(webapp); HttpServer2 httpServer = webApp.httpServer(); if (ui2Context != null) { + addFiltersForNewContext(ui2Context); httpServer.addHandlerAtFront(ui2Context); } try { @@ -413,6 +414,27 @@ public class WebApps { return webApp; } + private void addFiltersForNewContext(WebAppContext ui2Context) { + Map params = getConfigParameters(csrfConfigPrefix); + + if (hasCSRFEnabled(params)) { + LOG.info("CSRF Protection has been enabled for the {} application. " + + "Please ensure that there is an authentication mechanism " + + "enabled (kerberos, custom, etc).", name); + String restCsrfClassName = RestCsrfPreventionFilter.class.getName(); + HttpServer2.defineFilter(ui2Context, restCsrfClassName, + restCsrfClassName, params, new String[]{"/*"}); + } + + params = getConfigParameters(xfsConfigPrefix); + + if (hasXFSEnabled()) { + String xfsClassName = XFrameOptionsFilter.class.getName(); + HttpServer2.defineFilter(ui2Context, xfsClassName, xfsClassName, params, + new String[]{"/*"}); + } + } + private String inferHostClass() { String thisClass = this.getClass().getName(); Throwable t = new Throwable();