diff --git a/hcatalog/webhcat/svr/src/main/config/webhcat-default.xml b/hcatalog/webhcat/svr/src/main/config/webhcat-default.xml index fa8dbf8c9c..2de8525841 100644 --- a/hcatalog/webhcat/svr/src/main/config/webhcat-default.xml +++ b/hcatalog/webhcat/svr/src/main/config/webhcat-default.xml @@ -371,4 +371,12 @@ in all PUT/POST requests, and rejects requests that do not have these. + + templeton.frame.options.filter + DENY + + X-Frame-Options is added in HTTP response header with this value to prevent + clickjacking attacks. Possible values are DENY, SAMEORIGIN, ALLOW-FROM uri. + + diff --git a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/AppConfig.java b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/AppConfig.java index 0ea7d8828f..4232d4d58f 100644 --- a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/AppConfig.java +++ b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/AppConfig.java @@ -204,6 +204,7 @@ public static final String HIVE_EXTRA_FILES = "templeton.hive.extra.files"; public static final String XSRF_FILTER_ENABLED = "templeton.xsrf.filter.enabled"; + public static final String FRAME_OPTIONS_FILETER = "templeton.frame.options.filter"; private static final Logger LOG = LoggerFactory.getLogger(AppConfig.class); diff --git a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java index 3ed3ececcd..02b9db9e99 100644 --- a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java +++ b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java @@ -53,7 +53,15 @@ import org.slf4j.bridge.SLF4JBridgeHandler; import javax.servlet.DispatcherType; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; /** * The main executable that starts up and runs the Server. @@ -213,6 +221,8 @@ public Server runServer(int port) LOG.warn("XSRF filter disabled"); } + root.addFilter(makeFrameOptionFilter(), "/" + SERVLET_PATH + "/*", dispatches); + // Connect Jersey ServletHolder h = new ServletHolder(new ServletContainer(makeJerseyConfig())); root.addServlet(h, "/" + SERVLET_PATH + "/*"); @@ -259,6 +269,39 @@ public FilterHolder makeAuthFilter() { return authFilter; } + public FilterHolder makeFrameOptionFilter() { + FilterHolder frameOptionFilter = new FilterHolder(XFrameOptionsFilter.class); + frameOptionFilter.setInitParameter(AppConfig.FRAME_OPTIONS_FILETER, conf.get(AppConfig.FRAME_OPTIONS_FILETER)); + return frameOptionFilter; + } + + public static class XFrameOptionsFilter implements Filter { + private final static String defaultMode = "DENY"; + + private String mode = null; + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + mode = filterConfig.getInitParameter(AppConfig.FRAME_OPTIONS_FILETER); + if (mode == null) { + mode = defaultMode; + } + } + + @Override + public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) + throws IOException, ServletException { + final HttpServletResponse res = (HttpServletResponse) response; + res.setHeader("X-FRAME-OPTIONS", mode); + chain.doFilter(request, response); + } + + @Override + public void destroy() { + // do nothing + } + } + public PackagesResourceConfig makeJerseyConfig() { PackagesResourceConfig rc = new PackagesResourceConfig("org.apache.hive.hcatalog.templeton");