Hadoop Common
  1. Hadoop Common
  2. HADOOP-10379

Protect authentication cookies with the HttpOnly and Secure flags

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.4.0
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      Browser vendors have adopted proposals to enhance the security of HTTP cookies. For example, the server can mark a cookie as Secure so that it will not be transfer via plain-text HTTP protocol, and the server can mark a cookie as HttpOnly to prohibit the JavaScript to access that cookie.

      This jira proposes to adopt these flags in Hadoop to protect the HTTP cookie used for authentication purposes.

      1. HADOOP-10379-branch-1.000.patch
        43 kB
        Haohui Mai
      2. HADOOP-10379.002.patch
        27 kB
        Haohui Mai
      3. HADOOP-10379.001.patch
        13 kB
        Haohui Mai
      4. HADOOP-10379.000.patch
        12 kB
        Haohui Mai

        Issue Links

          Activity

          Hide
          Jing Zhao added a comment -

          +1 pending Jenkins.

          Show
          Jing Zhao added a comment - +1 pending Jenkins.
          Hide
          Dilli Arumugam added a comment -

          Code review comment:

          comment 1:

          Context:
          + SessionManager sm = webAppContext.getSessionHandler().getSessionManager();
          + if (sm instanceof AbstractSessionManager)

          { + AbstractSessionManager asm = (AbstractSessionManager)sm; + asm.setHttpOnly(true); + asm.setSecureCookies(true); + }

          +

          Would this flag JSESSIONID secure even if the the server is listening on HTTP (not HTTPS)?

          comment 2:

          Would it be better to have specific configuration properties, at least for hadoop.auth cookie, like the following:

          <property>
          <name>hadoop.http.authentication.cookie.secure</name>
          <value>false</value>
          <description>
          Should the authentication cookie should be flagged as secure?
          </description>
          </property>

          <property>
          <name>hadoop.http.authentication.cookie.httponly</name>
          <value>false</value>
          <description>
          Should the authentication cookie should be flagged as HttpOnly?
          </description>
          </property>

          The idea is backward compatibility with enough switches to secure the system.

          Show
          Dilli Arumugam added a comment - Code review comment: comment 1: Context: + SessionManager sm = webAppContext.getSessionHandler().getSessionManager(); + if (sm instanceof AbstractSessionManager) { + AbstractSessionManager asm = (AbstractSessionManager)sm; + asm.setHttpOnly(true); + asm.setSecureCookies(true); + } + Would this flag JSESSIONID secure even if the the server is listening on HTTP (not HTTPS)? comment 2: Would it be better to have specific configuration properties, at least for hadoop.auth cookie, like the following: <property> <name>hadoop.http.authentication.cookie.secure</name> <value>false</value> <description> Should the authentication cookie should be flagged as secure? </description> </property> <property> <name>hadoop.http.authentication.cookie.httponly</name> <value>false</value> <description> Should the authentication cookie should be flagged as HttpOnly? </description> </property> The idea is backward compatibility with enough switches to secure the system.
          Hide
          Haohui Mai added a comment -

          Comment 1: Please see http://docs.oracle.com/javaee/6/api/javax/servlet/SessionCookieConfig.html#setSecure(boolean)

          Comment 2: The configuration is unnecessary. There is no backward compatibility issue since (1) only the browser will respect the flag, and (2) any violations of the flags are security vulnerabilities.

          Show
          Haohui Mai added a comment - Comment 1: Please see http://docs.oracle.com/javaee/6/api/javax/servlet/SessionCookieConfig.html#setSecure(boolean ) Comment 2: The configuration is unnecessary. There is no backward compatibility issue since (1) only the browser will respect the flag, and (2) any violations of the flags are security vulnerabilities.
          Hide
          Dilli Arumugam added a comment -

          Thanks for the pointer to SessionCookieConfig javadoc.
          So, JSESSIONID would be marked secure even if the request was on Not on SSL?

          Show
          Dilli Arumugam added a comment - Thanks for the pointer to SessionCookieConfig javadoc. So, JSESSIONID would be marked secure even if the request was on Not on SSL?
          Hide
          Haohui Mai added a comment -

          So, JSESSIONID would be marked secure even if the request was on Not on SSL?

          No

          Show
          Haohui Mai added a comment - So, JSESSIONID would be marked secure even if the request was on Not on SSL? No
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12632390/HADOOP-10379.000.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 1 new or modified test files.

          -1 javac. The patch appears to cause the build to fail.

          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3624//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12632390/HADOOP-10379.000.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. -1 javac . The patch appears to cause the build to fail. Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3624//console This message is automatically generated.
          Hide
          Haohui Mai added a comment -

          The v1 patch generates the cookie on its own. This is because servlet 2.5 does not support the HttpOnly flag. See HADOOP-9244 for more details.

          I've tested the patch on a secure cluster and it worked as expected.

          Show
          Haohui Mai added a comment - The v1 patch generates the cookie on its own. This is because servlet 2.5 does not support the HttpOnly flag. See HADOOP-9244 for more details. I've tested the patch on a secure cluster and it worked as expected.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12632586/HADOOP-10379.001.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 1 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 javadoc. There were no new javadoc warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          -1 findbugs. The patch appears to introduce 1 new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests in hadoop-common-project/hadoop-auth hadoop-common-project/hadoop-common:

          org.apache.hadoop.security.authentication.server.TestAuthenticationFilter

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3626//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/3626//artifact/trunk/patchprocess/newPatchFindbugsWarningshadoop-auth.html
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3626//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12632586/HADOOP-10379.001.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. -1 findbugs . The patch appears to introduce 1 new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. -1 core tests . The patch failed these unit tests in hadoop-common-project/hadoop-auth hadoop-common-project/hadoop-common: org.apache.hadoop.security.authentication.server.TestAuthenticationFilter +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3626//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/3626//artifact/trunk/patchprocess/newPatchFindbugsWarningshadoop-auth.html Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3626//console This message is automatically generated.
          Hide
          Haohui Mai added a comment -

          The v2 patch fixes the findbug warnings and the unit test.

          Show
          Haohui Mai added a comment - The v2 patch fixes the findbug warnings and the unit test.
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12632708/HADOOP-10379.002.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 2 new or modified test files.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 javadoc. There were no new javadoc warning messages.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-auth hadoop-common-project/hadoop-common.

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3628//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3628//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12632708/HADOOP-10379.002.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 2 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . There were no new javadoc warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-common-project/hadoop-auth hadoop-common-project/hadoop-common. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3628//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3628//console This message is automatically generated.
          Hide
          Jing Zhao added a comment -

          +1.

          Show
          Jing Zhao added a comment - +1.
          Hide
          Haohui Mai added a comment -

          I've committed the patch into trunk, branch-2, and branch-2.4. Thanks Jing Zhao for the review.

          Show
          Haohui Mai added a comment - I've committed the patch into trunk, branch-2, and branch-2.4. Thanks Jing Zhao for the review.
          Hide
          Hudson added a comment -

          SUCCESS: Integrated in Hadoop-trunk-Commit #5264 (See https://builds.apache.org/job/Hadoop-trunk-Commit/5264/)
          HADOOP-10379. Protect authentication cookies with the HttpOnly and Secure flags. Contributed by Haohui Mai. (wheat9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1574283)

          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpCookieFlag.java
          Show
          Hudson added a comment - SUCCESS: Integrated in Hadoop-trunk-Commit #5264 (See https://builds.apache.org/job/Hadoop-trunk-Commit/5264/ ) HADOOP-10379 . Protect authentication cookies with the HttpOnly and Secure flags. Contributed by Haohui Mai. (wheat9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1574283 ) /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpCookieFlag.java
          Hide
          Hudson added a comment -

          SUCCESS: Integrated in Hadoop-Yarn-trunk #500 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/500/)
          HADOOP-10379. Protect authentication cookies with the HttpOnly and Secure flags. Contributed by Haohui Mai. (wheat9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1574283)

          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpCookieFlag.java
          Show
          Hudson added a comment - SUCCESS: Integrated in Hadoop-Yarn-trunk #500 (See https://builds.apache.org/job/Hadoop-Yarn-trunk/500/ ) HADOOP-10379 . Protect authentication cookies with the HttpOnly and Secure flags. Contributed by Haohui Mai. (wheat9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1574283 ) /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpCookieFlag.java
          Hide
          Hudson added a comment -

          FAILURE: Integrated in Hadoop-Hdfs-trunk #1692 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1692/)
          HADOOP-10379. Protect authentication cookies with the HttpOnly and Secure flags. Contributed by Haohui Mai. (wheat9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1574283)

          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpCookieFlag.java
          Show
          Hudson added a comment - FAILURE: Integrated in Hadoop-Hdfs-trunk #1692 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/1692/ ) HADOOP-10379 . Protect authentication cookies with the HttpOnly and Secure flags. Contributed by Haohui Mai. (wheat9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1574283 ) /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpCookieFlag.java
          Hide
          Hudson added a comment -

          SUCCESS: Integrated in Hadoop-Mapreduce-trunk #1717 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1717/)
          HADOOP-10379. Protect authentication cookies with the HttpOnly and Secure flags. Contributed by Haohui Mai. (wheat9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1574283)

          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpCookieFlag.java
          Show
          Hudson added a comment - SUCCESS: Integrated in Hadoop-Mapreduce-trunk #1717 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1717/ ) HADOOP-10379 . Protect authentication cookies with the HttpOnly and Secure flags. Contributed by Haohui Mai. (wheat9: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1574283 ) /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpCookieFlag.java
          Hide
          Haohui Mai added a comment - - edited

          For the branch-1 patch, I've run the test-patch script and the patch passed all the unit tests.

          Show
          Haohui Mai added a comment - - edited For the branch-1 patch, I've run the test-patch script and the patch passed all the unit tests.
          Hide
          Jing Zhao added a comment -

          +1 for the branch-1 patch.

          Show
          Jing Zhao added a comment - +1 for the branch-1 patch.
          Hide
          Alejandro Abdelnur added a comment -

          This JIRA has introduced a regression: HADOOP-10710.

          Show
          Alejandro Abdelnur added a comment - This JIRA has introduced a regression: HADOOP-10710 .

            People

            • Assignee:
              Haohui Mai
              Reporter:
              Haohui Mai
            • Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development