Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-7648

Scrypt j_security_check works without security headers

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.17.0
    • Fix Version/s: 1.18.0
    • Component/s: None
    • Labels:

      Description

      Preconditions:
      drill-override.conf

      drill.exec: {
        cluster-id: "drillbits1",
        zk.connect: "localhost:5181"
        impersonation: {
              enabled: true,
              max_chained_user_hops: 3
              },
          security: {
              auth.mechanisms : ["PLAIN"],
              },
          security.user.auth: {
          enabled: true,
          packages += "org.apache.drill.exec.rpc.user.security",
          impl: "pam4j",
          pam_profiles: [ "sudo", "login" ]
          }
        http: {
          ssl_enabled: true,.
          jetty.server.response.headers: {
            "X-XSS-Protection": "1; mode=block",
            "X-Content-Type-Options": "nosniff",
            "Strict-Transport-Security": "max-age=31536000;includeSubDomains",
            "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"
          }
        }
      }
      

      Steps:
      1. Perform login to drillbit webUI
      2. Check in browser console in tab "network" headers of resource https://node1.cluster.com:8047/j_security_check
      3. Check section "response headers"
      Expected result: security headers are present
      Actual result: security headers are absent

      4. Check section "Form Data"
      Expected result: parameter "j_password" content is hidden
      Actual result: parameter "j_password" content is visible

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ihuzenko Igor Guzenko
                Reporter:
                dkondriukov Dmytro Kondriukov
                Reviewer:
                Vova Vysotskyi
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: