This is an automated email from the ASF dual-hosted git repository. mehul pushed a commit to branch ranger-2.4 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit e2e052532f8176fc309bff103199ac78d0714238 Author: Mahesh Bandal <[email protected]> AuthorDate: Mon Nov 21 12:14:13 2022 +0530 RANGER-3962: Add preload directive to HSTS header Signed-off-by: Mehul Parikh <[email protected]> --- .../hadoop/crypto/key/kms/server/KMSMDCFilter.java | 51 +++++++++++----------- .../RangerSecurityContextFormationFilter.java | 2 +- security-admin/src/main/webapp/login.jsp | 2 +- 3 files changed, 27 insertions(+), 28 deletions(-) diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java index 1174f0bd6..b975bd099 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java @@ -71,32 +71,31 @@ public class KMSMDCFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, - FilterChain chain) - throws IOException, ServletException { - try { - String path = ((HttpServletRequest) request).getRequestURI(); - HttpServletResponse resp = (HttpServletResponse) response; - resp.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); - - if (path.startsWith(RANGER_KMS_REST_API_PATH)) { - chain.doFilter(request, resp); - } else { - DATA_TL.remove(); - UserGroupInformation ugi = HttpUserGroupInformation.get(); - String method = ((HttpServletRequest) request).getMethod(); - StringBuffer requestURL = ((HttpServletRequest) request).getRequestURL(); - String queryString = ((HttpServletRequest) request).getQueryString(); - if (queryString != null) { - requestURL.append("?").append(queryString); - } - DATA_TL.set(new Data(ugi, method, requestURL.toString())); - chain.doFilter(request, resp); - } - } finally { - DATA_TL.remove(); - - } - } + FilterChain chain) throws IOException, ServletException { + try { + String path = ((HttpServletRequest) request).getRequestURI(); + HttpServletResponse resp = (HttpServletResponse) response; + resp.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); + + if (path.startsWith(RANGER_KMS_REST_API_PATH)) { + chain.doFilter(request, resp); + } else { + DATA_TL.remove(); + UserGroupInformation ugi = HttpUserGroupInformation.get(); + String method = ((HttpServletRequest) request).getMethod(); + StringBuffer requestURL = ((HttpServletRequest) request).getRequestURL(); + String queryString = ((HttpServletRequest) request).getQueryString(); + if (queryString != null) { + requestURL.append("?").append(queryString); + } + DATA_TL.set(new Data(ugi, method, requestURL.toString())); + chain.doFilter(request, resp); + } + } finally { + DATA_TL.remove(); + + } + } @Override public void destroy() { diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java index 9f83daf9a..782fe1173 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java @@ -136,7 +136,7 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean { res.setHeader("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate"); res.setHeader("X-Frame-Options", "DENY" ); res.setHeader("X-XSS-Protection", "1; mode=block"); - res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); + res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); res.setHeader("Content-Security-Policy", "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'"); res.setHeader("X-Permitted-Cross-Domain-Policies", "none"); chain.doFilter(request, res); diff --git a/security-admin/src/main/webapp/login.jsp b/security-admin/src/main/webapp/login.jsp index df234efd9..ad82ea9eb 100644 --- a/security-admin/src/main/webapp/login.jsp +++ b/security-admin/src/main/webapp/login.jsp @@ -56,7 +56,7 @@ response.setHeader("X-Content-Type-Options", "nosniff"); response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("Content-Security-Policy", "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'"); - response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); + response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); // Delete browser cache in firefox environment response.setHeader("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate"); // HTTP 1.1. response.setHeader("Pragma", "no-cache");
