knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lmc...@apache.org
Subject git commit: #KNOX-198 CSRF Header Support - added WebAppSec provider for web application security vulnerability prevention and a CSRF prevention filter.
Date Wed, 27 Nov 2013 14:48:24 GMT
Updated Branches:
  refs/heads/master 184ee06e1 -> 9901058dc


#KNOX-198 CSRF Header Support - added WebAppSec provider for web application security vulnerability
prevention and a CSRF prevention filter.


Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/9901058d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/9901058d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/9901058d

Branch: refs/heads/master
Commit: 9901058dc9dbf95b1e98311273f94eb623ecc8fe
Parents: 184ee06
Author: Larry McCay <lmccay@hortonworks.com>
Authored: Wed Nov 27 09:46:09 2013 -0500
Committer: Larry McCay <lmccay@hortonworks.com>
Committed: Wed Nov 27 09:47:46 2013 -0500

----------------------------------------------------------------------
 gateway-provider-security-webappsec/pom.xml     | 85 ++++++++++++++++++
 .../gateway/webappsec/WebAppSecMessages.java    | 26 ++++++
 .../webappsec/deploy/WebAppSecContributor.java  | 66 ++++++++++++++
 .../webappsec/filter/CSRFPreventionFilter.java  | 71 +++++++++++++++
 ...gateway.deploy.ProviderDeploymentContributor | 19 ++++
 .../gateway/provider/federation/CSRFTest.java   | 30 +++++++
 gateway-release/pom.xml                         |  4 +
 .../hadoop/gateway/GatewayBasicFuncTest.java    | 92 +++++++++++++++++++-
 .../hadoop/gateway/GatewayFuncTestDriver.java   | 16 ++++
 pom.xml                                         |  6 ++
 10 files changed, 414 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/9901058d/gateway-provider-security-webappsec/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/pom.xml b/gateway-provider-security-webappsec/pom.xml
new file mode 100644
index 0000000..02411d1
--- /dev/null
+++ b/gateway-provider-security-webappsec/pom.xml
@@ -0,0 +1,85 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.hadoop</groupId>
+        <artifactId>gateway</artifactId>
+        <version>0.4.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>gateway-provider-security-webappsec</artifactId>
+
+    <name>gateway-provider-security-webappsec</name>
+    <description>An extension of the gateway introducing web application security protections.</description>
+
+    <licenses>
+        <license>
+            <name>The Apache Software License, Version 2.0</name>
+            <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+            <distribution>repo</distribution>
+        </license>
+    </licenses>
+
+    <dependencies>
+        <dependency>
+            <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-spi</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-util-common</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.hadoop</groupId>
+            <artifactId>hadoop-cmf</artifactId>
+            <version>3.0.0-SNAPSHOT</version>
+        </dependency>
+
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.easymock</groupId>
+            <artifactId>easymock</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.hadoop</groupId>
+            <artifactId>gateway-test-utils</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+
+</project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/9901058d/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/WebAppSecMessages.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/WebAppSecMessages.java
b/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/WebAppSecMessages.java
new file mode 100644
index 0000000..7cf68f4
--- /dev/null
+++ b/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/WebAppSecMessages.java
@@ -0,0 +1,26 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.webappsec;
+
+import org.apache.hadoop.gateway.i18n.messages.Message;
+import org.apache.hadoop.gateway.i18n.messages.MessageLevel;
+import org.apache.hadoop.gateway.i18n.messages.Messages;
+
+@Messages(logger="org.apache.hadoop.gateway.provider.global.csrf")
+public interface WebAppSecMessages {
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/9901058d/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/deploy/WebAppSecContributor.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/deploy/WebAppSecContributor.java
b/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/deploy/WebAppSecContributor.java
new file mode 100644
index 0000000..6a54b9e
--- /dev/null
+++ b/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/deploy/WebAppSecContributor.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.webappsec.deploy;
+
+import java.util.List;
+import java.util.Map;
+
+import org.apache.hadoop.gateway.deploy.DeploymentContext;
+import org.apache.hadoop.gateway.deploy.ProviderDeploymentContributorBase;
+import org.apache.hadoop.gateway.descriptor.FilterParamDescriptor;
+import org.apache.hadoop.gateway.descriptor.ResourceDescriptor;
+import org.apache.hadoop.gateway.topology.Provider;
+import org.apache.hadoop.gateway.topology.Service;
+
+public class WebAppSecContributor extends
+    ProviderDeploymentContributorBase {
+  private static final String ROLE = "webappsec";
+  private static final String NAME = "WebAppSec";
+  private static final String CSRF_SUFFIX = "_CSRF";
+  private static final String CSRF_FILTER_CLASSNAME = "org.apache.hadoop.gateway.webappsec.filter.CSRFPreventionFilter";
+  private static final String CSRF_ENABLED = "csrf.enabled";
+
+  @Override
+  public String getRole() {
+    return ROLE;
+  }
+
+  @Override
+  public String getName() {
+    return NAME;
+  }
+
+  @Override
+  public void initializeContribution(DeploymentContext context) {
+    super.initializeContribution(context);
+  }
+
+  @Override
+  public void contributeFilter(DeploymentContext context, Provider provider, Service service,

+      ResourceDescriptor resource, List<FilterParamDescriptor> params) {
+    
+    Provider webappsec = context.getTopology().getProvider(ROLE, NAME);
+    if (webappsec != null && webappsec.isEnabled()) {
+      Map<String,String> map = provider.getParams();
+      String csrfEnabled = map.get(CSRF_ENABLED);
+      if ( csrfEnabled != null && csrfEnabled.equals("true")) {
+        resource.addFilter().name( getName() + CSRF_SUFFIX ).role( getRole() ).impl( CSRF_FILTER_CLASSNAME
).params( params );
+      }
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/9901058d/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/filter/CSRFPreventionFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/filter/CSRFPreventionFilter.java
b/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/filter/CSRFPreventionFilter.java
new file mode 100644
index 0000000..eb98b8c
--- /dev/null
+++ b/gateway-provider-security-webappsec/src/main/java/org/apache/hadoop/gateway/webappsec/filter/CSRFPreventionFilter.java
@@ -0,0 +1,71 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.webappsec.filter;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class CSRFPreventionFilter implements Filter {
+  private static final String CUSTOM_HEADER_PARAM = "csrf.customHeader";
+  private static final String CUSTOM_METHODS_TO_IGNORE_PARAM = "csrf.methodsToIgnore";
+  private String  headerName = "X-XSRF-Header";
+  private String  mti = "GET,OPTIONS,HEAD";
+  private Set<String> methodsToIgnore = null;
+  
+  @Override
+  public void init( FilterConfig filterConfig ) throws ServletException {
+    String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM);
+    if (customHeader != null) {
+      headerName = customHeader;
+    }
+    String customMTI = filterConfig.getInitParameter(CUSTOM_METHODS_TO_IGNORE_PARAM);
+    if (customMTI != null) {
+      mti = customMTI;
+    }
+    methodsToIgnore = new HashSet<String>(Arrays.asList(mti));
+  }
+  
+  @Override
+  public void doFilter(ServletRequest request, ServletResponse response,
+      FilterChain chain) throws IOException, ServletException {
+    if (!methodsToIgnore.contains(((HttpServletRequest) request).getMethod()) &&
!(((HttpServletRequest) request).getHeader(headerName) != null)) {
+      ((HttpServletResponse)response).sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing
Required Header for Vulnerability Protection");
+    }
+    chain.doFilter(request, response);
+  }
+
+  /* (non-Javadoc)
+   * @see javax.servlet.Filter#destroy()
+   */
+  @Override
+  public void destroy() {
+    // TODO Auto-generated method stub
+    
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/9901058d/gateway-provider-security-webappsec/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
b/gateway-provider-security-webappsec/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
new file mode 100644
index 0000000..9a060d3
--- /dev/null
+++ b/gateway-provider-security-webappsec/src/main/resources/META-INF/services/org.apache.hadoop.gateway.deploy.ProviderDeploymentContributor
@@ -0,0 +1,19 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+org.apache.hadoop.gateway.webappsec.deploy.WebAppSecContributor

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/9901058d/gateway-provider-security-webappsec/src/test/java/org/apache/hadoop/gateway/provider/federation/CSRFTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-webappsec/src/test/java/org/apache/hadoop/gateway/provider/federation/CSRFTest.java
b/gateway-provider-security-webappsec/src/test/java/org/apache/hadoop/gateway/provider/federation/CSRFTest.java
new file mode 100644
index 0000000..28ec021
--- /dev/null
+++ b/gateway-provider-security-webappsec/src/test/java/org/apache/hadoop/gateway/provider/federation/CSRFTest.java
@@ -0,0 +1,30 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation;
+
+import junit.framework.TestCase;
+
+import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
+import org.junit.Test;
+
+public class CSRFTest extends TestCase {
+  @Test
+  public void testCsrf() throws Exception {
+    assertTrue(true);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/9901058d/gateway-release/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-release/pom.xml b/gateway-release/pom.xml
index 2b8c1d2..982be2b 100644
--- a/gateway-release/pom.xml
+++ b/gateway-release/pom.xml
@@ -163,6 +163,10 @@
         </dependency>
         <dependency>
             <groupId>${gateway-group}</groupId>
+            <artifactId>gateway-provider-security-webappsec</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>${gateway-group}</groupId>
             <artifactId>gateway-provider-security-authz-acls</artifactId>
         </dependency>
         <dependency>

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/9901058d/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java
b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java
index 11eeb0c..973e8ff 100644
--- a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayBasicFuncTest.java
@@ -150,6 +150,13 @@ public class GatewayBasicFuncTest {
         .addRoot( "topology" )
           .addTag( "gateway" )
             .addTag( "provider" )
+              .addTag( "role" ).addText( "webappsec" )
+              .addTag( "name" ).addText( "WebAppSec" )
+              .addTag( "enabled" ).addText( "true" )
+              .addTag( "param" )
+                .addTag( "name" ).addText( "csrf.enabled" )
+                .addTag( "value" ).addText( "true" ).gotoParent().gotoParent()
+            .addTag( "provider" )
               .addTag( "role" ).addText( "authentication" )
               .addTag( "enabled" ).addText( "true" )
               .addTag( "param" )
@@ -204,7 +211,7 @@ public class GatewayBasicFuncTest {
             .addTag( "role" ).addText( "WEBHBASE" )
             .addTag( "url" ).addText( driver.getRealUrl( "WEBHBASE" ) )
         .gotoRoot();
-    // System.out.println( "GATEWAY=" + xml.toString() );
+//     System.out.println( "GATEWAY=" + xml.toString() );
     return xml;
   }
 
@@ -236,6 +243,7 @@ public class GatewayBasicFuncTest {
     given()
         //.log().all()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "MKDIRS" )
         .expect()
             //.log().all();
@@ -266,6 +274,7 @@ public class GatewayBasicFuncTest {
     Response response = given()
         //.log().all()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "CREATE" )
         .expect()
             //.log().ifError()
@@ -303,6 +312,7 @@ public class GatewayBasicFuncTest {
         .status( HttpStatus.SC_OK );
     given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "DELETE" )
         .queryParam( "recursive", "true" )
         .expect()
@@ -324,6 +334,7 @@ public class GatewayBasicFuncTest {
     given()
         //.log().all()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "MKDIRS" )
         .expect()
             //.log().all();
@@ -356,6 +367,7 @@ public class GatewayBasicFuncTest {
         .status( HttpStatus.SC_OK );
     given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "DELETE" )
         .queryParam( "recursive", "true" )
         .expect()
@@ -387,6 +399,7 @@ public class GatewayBasicFuncTest {
     given()
         //.log().all()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "MKDIRS" )
         .expect()
         //.log().all();
@@ -409,6 +422,7 @@ public class GatewayBasicFuncTest {
     given()
         //.log().all()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "LISTSTATUS" )
         .expect()
         //.log().ifError()
@@ -421,6 +435,7 @@ public class GatewayBasicFuncTest {
     given()
         //.log().all()
         .auth().preemptive().basic( username, "invalid-password" )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "LISTSTATUS" )
         .expect()
         //.log().ifError()
@@ -432,6 +447,7 @@ public class GatewayBasicFuncTest {
     given()
         //.log().all()
         .auth().preemptive().basic( "hdfs-user", "hdfs-password" )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "LISTSTATUS" )
         .expect()
         //.log().ifError()
@@ -443,6 +459,7 @@ public class GatewayBasicFuncTest {
     given()
       //.log().all()
       .auth().preemptive().basic( "mapred-user", "mapred-password" )
+      .header("X-XSRF-Header", "jksdhfkhdsf")
       .queryParam( "op", "LISTSTATUS" )
       .expect()
       //.log().ifError()
@@ -491,6 +508,7 @@ public class GatewayBasicFuncTest {
     Response response = given()
         //.log().all()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "CREATE" )
         .expect()
         //.log().ifError()
@@ -508,6 +526,7 @@ public class GatewayBasicFuncTest {
     response = given()
         //.log().all()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "test.txt" ) )
         .contentType( "text/plain" )
         .expect()
@@ -559,6 +578,7 @@ public class GatewayBasicFuncTest {
     given()
         //.log().all()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "OPEN" )
         .expect()
         //.log().ifError()
@@ -590,6 +610,7 @@ public class GatewayBasicFuncTest {
         .status( HttpStatus.SC_OK );
     given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "DELETE" )
         .queryParam( "recursive", "true" )
         .expect()
@@ -685,6 +706,7 @@ public class GatewayBasicFuncTest {
       Response response = given()
           //.log().all()
           .auth().preemptive().basic( userA, "invalid-password" )
+          .header("X-XSRF-Header", "jksdhfkhdsf")
           .queryParam( "op", "OPEN" )
           .expect()
           //.log().all()
@@ -929,6 +951,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     Response response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/open-session-request.bin" ) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -953,6 +976,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/execute-set-fetch-output-serde-request.bin"
) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -976,6 +1000,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/close-operation-1-request.bin" ) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -999,6 +1024,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/execute-set-server2-http-path-request.bin"
) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -1022,6 +1048,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/close-operation-2-request.bin" ) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -1045,6 +1072,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/execute-set-server2-servermode-request.bin"
) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -1068,6 +1096,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/close-operation-3-request.bin" ) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -1091,6 +1120,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/execute-set-security-authorization-enabled-request.bin"
) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -1114,6 +1144,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/close-operation-4-request.bin" ) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -1137,6 +1168,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/execute-create-table-request.bin" ) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -1160,6 +1192,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/close-operation-5-request.bin" ) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -1183,6 +1216,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/execute-select-from-table-request.bin" )
)
         .contentType( "application/x-thrift" )
         .expect()
@@ -1206,6 +1240,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/get-result-set-metadata-request.bin" ) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -1229,6 +1264,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/fetch-results-request.bin" ) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -1252,6 +1288,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/close-operation-6-request.bin" ) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -1275,6 +1312,7 @@ public class GatewayBasicFuncTest {
         .contentType( "application/x-thrift" );
     response = given()
         .auth().preemptive().basic( username, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .content( driver.getResourceBytes( "hive/close-session-request.bin" ) )
         .contentType( "application/x-thrift" )
         .expect()
@@ -1304,6 +1342,7 @@ public class GatewayBasicFuncTest {
     
     Response response = given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .header( "Accept", ContentType.XML.toString() )
     .expect()
     .statusCode( HttpStatus.SC_OK )
@@ -1328,6 +1367,7 @@ public class GatewayBasicFuncTest {
     
     response = given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .header( "Accept", ContentType.JSON.toString() )
     .expect()
     .statusCode( HttpStatus.SC_OK )
@@ -1350,6 +1390,7 @@ public class GatewayBasicFuncTest {
     
     given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .header( "Accept", "application/x-protobuf" )
     .expect()
     .statusCode( HttpStatus.SC_OK )
@@ -1378,6 +1419,7 @@ public class GatewayBasicFuncTest {
 
     given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .expect()
     .statusCode( HttpStatus.SC_CREATED )
     .contentType( ContentType.XML )
@@ -1397,6 +1439,7 @@ public class GatewayBasicFuncTest {
     
     given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .expect()
     .statusCode( HttpStatus.SC_CREATED )
     .contentType( ContentType.JSON )
@@ -1416,6 +1459,7 @@ public class GatewayBasicFuncTest {
 
     given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .expect()
     .statusCode( HttpStatus.SC_CREATED )
     .contentType( "application/x-protobuf" )
@@ -1444,6 +1488,7 @@ public class GatewayBasicFuncTest {
 
     Response response = given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .header( "Accept", ContentType.XML.toString() )
     .expect()
     .statusCode( HttpStatus.SC_OK )
@@ -1468,6 +1513,7 @@ public class GatewayBasicFuncTest {
 
     response = given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .header( "Accept", ContentType.JSON.toString() )
     .expect()
     .statusCode( HttpStatus.SC_OK )
@@ -1490,6 +1536,7 @@ public class GatewayBasicFuncTest {
 
     response = given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .header( "Accept", "application/x-protobuf" )
     .expect()
     .statusCode( HttpStatus.SC_OK )
@@ -1524,6 +1571,7 @@ public class GatewayBasicFuncTest {
 
     given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     //.header( "Content-Type", ContentType.XML.toString() )
     .content( driver.getResourceBytes( resourceName + ".xml" ) )
     .contentType( ContentType.XML.toString() )
@@ -1543,6 +1591,7 @@ public class GatewayBasicFuncTest {
 
     given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     //.header( "Content-Type", ContentType.JSON.toString() )
     .content( driver.getResourceBytes( resourceName + ".json" ) )
     .contentType( ContentType.JSON.toString() )
@@ -1563,6 +1612,7 @@ public class GatewayBasicFuncTest {
 
     given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     //.header( "Content-Type", "application/x-protobuf" )
     .content( driver.getResourceBytes( resourceName + ".protobuf" ) )
     .contentType( "application/x-protobuf" )
@@ -1585,6 +1635,7 @@ public class GatewayBasicFuncTest {
 
     given()
       .auth().preemptive().basic( username, password )
+      .header("X-XSRF-Header", "jksdhfkhdsf")
       //.header( "Content-Type", ContentType.XML.toString() )
       .content( driver.getResourceBytes( resourceName + ".xml" ) )
       .contentType( ContentType.XML.toString() )
@@ -1604,6 +1655,7 @@ public class GatewayBasicFuncTest {
 
     given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     //.header( "Content-Type", ContentType.JSON.toString() )
     .content( driver.getResourceBytes( resourceName + ".json" ) )
     .contentType( ContentType.JSON.toString() )
@@ -1624,6 +1676,7 @@ public class GatewayBasicFuncTest {
 
     given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     //.header( "Content-Type", "application/x-protobuf" )
     .content( driver.getResourceBytes( resourceName + ".protobuf" ) )
     .contentType( "application/x-protobuf" )
@@ -1652,6 +1705,7 @@ public class GatewayBasicFuncTest {
 
     given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .expect()
     .statusCode( HttpStatus.SC_OK )
     .when().delete( driver.getUrl( "WEBHBASE" ) + "/" + tableId + "/" + rowId );
@@ -1666,6 +1720,7 @@ public class GatewayBasicFuncTest {
 
     given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .expect()
     .statusCode( HttpStatus.SC_OK )
     .when().delete( driver.getUrl( "WEBHBASE" ) + "/" + tableId + "/" + rowId + "/" + familyId
);
@@ -1680,6 +1735,7 @@ public class GatewayBasicFuncTest {
 
     given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .expect()
     .statusCode( HttpStatus.SC_OK )
     .when().delete( driver.getUrl( "WEBHBASE" ) + "/" + tableId + "/" + rowId + "/" + familyId
+ ":" + columnId );
@@ -1711,6 +1767,7 @@ public class GatewayBasicFuncTest {
 
     Response response = given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .header( "Accept", ContentType.XML.toString() )
     .expect()
     .statusCode( HttpStatus.SC_OK )
@@ -1735,6 +1792,7 @@ public class GatewayBasicFuncTest {
 
     response = given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .header( "Accept", ContentType.XML.toString() )
     .expect()
     .statusCode( HttpStatus.SC_OK )
@@ -1759,6 +1817,7 @@ public class GatewayBasicFuncTest {
 
     response = given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .header( "Accept", ContentType.JSON.toString() )
     .expect()
     .statusCode( HttpStatus.SC_OK )
@@ -1781,6 +1840,7 @@ public class GatewayBasicFuncTest {
 
     response = given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .header( "Accept", ContentType.JSON.toString() )
     .expect()
     .statusCode( HttpStatus.SC_OK )
@@ -1813,6 +1873,7 @@ public class GatewayBasicFuncTest {
 
     given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .header( "Content-Type", ContentType.XML.toString() )
     .content( driver.getResourceBytes( scannerDefinitionResourceName + ".xml" ) )
     .expect()
@@ -1835,6 +1896,7 @@ public class GatewayBasicFuncTest {
 
     Response response = given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .header( "Accept", ContentType.XML.toString() )
     .expect()
     .statusCode( HttpStatus.SC_OK )
@@ -1857,10 +1919,38 @@ public class GatewayBasicFuncTest {
 
     given()
     .auth().preemptive().basic( username, password )
+    .header("X-XSRF-Header", "jksdhfkhdsf")
     .expect()
     .statusCode( HttpStatus.SC_OK )
     .when().delete( driver.getUrl( "WEBHBASE" ) + scannerPath + "/" + scannerId );
     driver.assertComplete();
   }
 
+  @Ignore
+  public void testCrossSiteRequestForgeryPrevention() throws IOException {
+    String root = "/tmp/GatewayWebHdfsFuncTest/testCrossSiteRequestForgeryPrevention";
+    String username = "hdfs";
+    String password = "hdfs-password";
+
+//    driver.getMock( "WEBHDFS" )
+//        .expect()
+//        .method( "PUT" )
+//        .pathInfo( "/v1" + root + "/dir" )
+//        .queryParam( "op", "MKDIRS" )
+//        .queryParam( "user.name", username )
+//        .respond()
+//        .status( HttpStatus.SC_BAD_REQUEST );
+    given()
+        .log().all()
+        .auth().preemptive().basic( username, password )
+//        .header("X-XSRF-Header", "jksdhfkhdsf")
+        .queryParam( "op", "MKDIRS" )
+        .expect()
+            .log().all()
+        .statusCode( HttpStatus.SC_BAD_REQUEST )
+        .when().put( driver.getUrl( "WEBHDFS" ) + "/v1" + root + "/dir" );
+//    driver.reset();
+//    driver.assertComplete();
+  }
+
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/9901058d/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayFuncTestDriver.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayFuncTestDriver.java
b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayFuncTestDriver.java
index 0fb91e1..5e6006f 100644
--- a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayFuncTestDriver.java
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayFuncTestDriver.java
@@ -300,6 +300,7 @@ public class GatewayFuncTestDriver {
         //.log().headers()
         //.log().parameters()
         .auth().preemptive().basic( user, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "CREATE" )
         .queryParam( "permission", permsOctal )
         .expect()
@@ -339,6 +340,7 @@ public class GatewayFuncTestDriver {
     Response response = given()
         //.log().all()
         .auth().preemptive().basic( user, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .contentType( contentType )
         .content( getResourceBytes( resource ) )
         .expect()
@@ -399,6 +401,7 @@ public class GatewayFuncTestDriver {
     Response response = given()
         //.log().all()
         .auth().preemptive().basic( user, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "OPEN" )
         .expect()
         //.log().all()
@@ -426,6 +429,7 @@ public class GatewayFuncTestDriver {
     given()
         //.log().all()
         .auth().preemptive().basic( user, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "SETOWNER" )
         .queryParam( "owner", owner )
         .queryParam( "group", group )
@@ -449,6 +453,7 @@ public class GatewayFuncTestDriver {
     given()
         //.log().all()
         .auth().preemptive().basic( user, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "SETPERMISSION" )
         .queryParam( "permission", permsOctal )
         .expect()
@@ -493,6 +498,7 @@ public class GatewayFuncTestDriver {
     Response response = given()
         //.log().all()
         .auth().preemptive().basic( user, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "CREATE" )
         .queryParam( "overwrite", "true" )
         .content( getResourceBytes( resource ) )
@@ -533,6 +539,7 @@ public class GatewayFuncTestDriver {
     Response response = given()
         //.log().all()
         .auth().preemptive().basic( user, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "CREATE" )
         .queryParam( "overwrite", "true" )
         .contentType( contentType )
@@ -555,6 +562,7 @@ public class GatewayFuncTestDriver {
     given()
         //.log().all()
         .auth().preemptive().basic( user, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "DELETE" )
         .queryParam( "recursive", recursive )
         .expect()
@@ -580,6 +588,7 @@ public class GatewayFuncTestDriver {
     Response response = given()
         //.log().all()
         .auth().preemptive().basic( user, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .queryParam( "op", "MKDIRS" )
         .queryParam( "permission", permsOctal )
         .expect()
@@ -630,6 +639,7 @@ public class GatewayFuncTestDriver {
     String json = given()
         //.log().all()
         .auth().preemptive().basic( user, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .formParam( "user.name", user )
         .formParam( "jar", jar )    //"/user/hdfs/test/hadoop-examples.jar" )
         .formParam( "class", main ) //"org.apache.org.apache.hadoop.examples.WordCount" )
@@ -657,6 +667,7 @@ public class GatewayFuncTestDriver {
     String json = given()
         //.log().all()
         .auth().preemptive().basic( user, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
 //BUG: The identity asserter needs to check for this too.
         .formParam( "user.name", user )
         .formParam( "group", group )
@@ -690,6 +701,7 @@ public class GatewayFuncTestDriver {
     String json = given()
         //.log().all()
         .auth().preemptive().basic( user, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .formParam( "user.name", user )
         .formParam( "group", group )
         .formParam( "group", group )
@@ -722,6 +734,7 @@ public class GatewayFuncTestDriver {
     String status = given()
         //.log().all()
         .auth().preemptive().basic( user, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .pathParam( "job", job )
         .expect()
         //.log().all()
@@ -743,6 +756,7 @@ public class GatewayFuncTestDriver {
   public void oozieGetVersions( String user, String password ) throws IOException {
     given()
         .auth().preemptive().basic( user, password )
+        .header("X-XSRF-Header", "jksdhfkhdsf")
         .expect()
         .statusCode( 200 )
         .body( "", hasItems( 0, 1 ) )
@@ -844,6 +858,7 @@ TODO
 //    post.getParams().setParameter( "action", "start" );
     StringEntity entity = new StringEntity( request, ContentType.create( "application/xml",
"UTF-8" ) );
     post.setEntity( entity );
+    post.setHeader("X-XSRF-Header", "ksdjfhdsjkfhds");
     HttpResponse response = client.execute( targetHost, post, localContext );
     assertThat( response.getStatusLine().getStatusCode(), is( status ) );
     String json = EntityUtils.toString( response.getEntity() );
@@ -930,6 +945,7 @@ TODO
     localContext.setAttribute( ClientContext.AUTH_CACHE, authCache );
 
     HttpGet request = new HttpGet( url.toURI() );
+    request.setHeader("X-XSRF-Header", "ksdhfjkhdsjkf");
     HttpResponse response = client.execute( targetHost, request, localContext );
     assertThat( response.getStatusLine().getStatusCode(), is( status ) );
     String json = EntityUtils.toString( response.getEntity() );

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/9901058d/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index c945dcb..255451a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -44,6 +44,7 @@
         <module>gateway-provider-rewrite-func-service-registry</module>
         <module>gateway-provider-rewrite-step-secure-query</module>
         <module>gateway-provider-security-jwt</module>
+        <module>gateway-provider-security-webappsec</module>
         <module>gateway-provider-security-shiro</module>
         <module>gateway-provider-security-authz-acls</module>
         <module>gateway-provider-identity-assertion-pseudo</module>
@@ -349,6 +350,11 @@
             </dependency>
             <dependency>
                 <groupId>${gateway-group}</groupId>
+                <artifactId>gateway-provider-security-webappsec</artifactId>
+                <version>${gateway-version}</version>
+            </dependency>
+            <dependency>
+                <groupId>${gateway-group}</groupId>
                 <artifactId>gateway-provider-security-shiro</artifactId>
                 <version>${gateway-version}</version>
             </dependency>


Mime
View raw message