[HADOOP-12691] Add CSRF Filter for REST APIs to Hadoop Common - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.8.0, 3.0.0-alpha1
Component/s: security
Labels:
None

Hadoop Flags:

Reviewed

Description

CSRF prevention for REST APIs can be provided through a common servlet filter. This filter would check for the existence of an expected (configurable) HTTP header - such as X-XSRF-Header.

The fact that CSRF attacks are entirely browser based means that the above approach can ensure that requests are coming from either: applications served by the same origin as the REST API or that there is explicit policy configuration that allows the setting of a header on XmlHttpRequest from another origin.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-12691-003.patch
14/Jan/16 04:00
15 kB
Larry McCay
HADOOP-12691-002.patch
13/Jan/16 05:34
14 kB
Larry McCay
HADOOP-12691-001.patch
13/Jan/16 02:28
14 kB
Larry McCay
CSRFProtectionforRESTAPIs.pdf
10/Jan/16 22:13
111 kB
Larry McCay

Issue Links

is cloned by

HADOOP-13008 Add XFS Filter for UIs to Hadoop Common

Resolved

is related to

SPARK-15440 Add CSRF Filter for REST APIs to Spark

Resolved

HADOOP-12758 Extend CSRF Filter with UserAgent Checks

Resolved

relates to

HDFS-9711 Integrate CSRF prevention filter in WebHDFS.

Resolved

Activity

People

Assignee:: Larry McCay

Reporter:: Larry McCay

Votes:: 0 Vote for this issue

Watchers:: 13 Start watching this issue

Dates

Created:: 06/Jan/16 20:07

Updated:: 30/Aug/16 01:20

Resolved:: 14/Jan/16 20:01