[thxs ATM for point this one out]
Alfredo configuration currently is stored in the core-site.xml file, this file is readable by users (it must be as Configuration defaults must be loaded).
One of Alfredo config values is a secret which is used by all nodes to sign/verify the authentication cookie.
A user could get hold of this secret and forge authentication cookies for other users.
Because of this the Alfredo configuration, should be move to a user non-readable file.