Repository: zeppelin Updated Branches: refs/heads/master 82c92d110 -> 62aec9fbd
[ZEPPELIN-2461] Masking Jetty Server version with User-configurable parameter ### What is this PR for? Security conscious organisations does not want to reveal the Application Server name and version to prevent Script-kiddies from finding the information easily when fingerprinting the Application. The exact version number can tell an Attacker if the current Application Server is patched for or vulnerable to certain publicly known CVE associated to it. ### What type of PR is it? [Improvement | Feature] ### What is the Jira issue? * [ZEPPELIN-2461](https://issues.apache.org/jira/browse/ZEPPELIN-2461) ### How should this be tested? Providing a value in zeppelin-site.xml will replace the actual Jetty server version found in HTTP Header with provided value. E.g. - edit zeppelin-site.xml and add a property `zeppelin.server.jetty.name` and with value say `TOMCAT` - restart the server - open the app in browser then observe the Response Headers for the key "Server" this should now reflect "TOMCAT" ### Screenshots (if appropriate) ### Questions: * Does the licenses files need update? N/A * Is there breaking changes for older versions? N/A * Does this needs documentation? N/A Author: krishna-pandey <krish.pande...@gmail.com> Closes #2293 from krishna-pandey/ZEPPELIN-2461 and squashes the following commits: b071f7ad0 [krishna-pandey] Set App Server name to config value Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/62aec9fb Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/62aec9fb Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/62aec9fb Branch: refs/heads/master Commit: 62aec9fbdc3921f319b9901b7f7bd9c4c9e0f4fc Parents: 82c92d1 Author: krishna-pandey <krish.pande...@gmail.com> Authored: Thu Apr 27 16:14:33 2017 +0530 Committer: Prabhjyot Singh <prabhjyotsi...@gmail.com> Committed: Wed May 3 21:14:59 2017 +0530 ---------------------------------------------------------------------- conf/zeppelin-site.xml.template | 8 ++++++++ .../main/java/org/apache/zeppelin/server/ZeppelinServer.java | 3 +++ .../java/org/apache/zeppelin/conf/ZeppelinConfiguration.java | 7 ++++++- 3 files changed, 17 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zeppelin/blob/62aec9fb/conf/zeppelin-site.xml.template ---------------------------------------------------------------------- diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template index 5efe620..2a03cd9 100755 --- a/conf/zeppelin-site.xml.template +++ b/conf/zeppelin-site.xml.template @@ -369,4 +369,12 @@ <description>Enable directory listings on server.</description> </property> +<!-- +<property> + <name>zeppelin.server.jetty.name</name> + <value>Jetty(7.6.0.v20120127)</value> + <description>Hardcoding Application Server name to Prevent Fingerprinting</description> +</property> +--> + </configuration> http://git-wip-us.apache.org/repos/asf/zeppelin/blob/62aec9fb/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java ---------------------------------------------------------------------- diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java index fe2823c..2b67dfd 100644 --- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java +++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java @@ -193,6 +193,9 @@ public class ZeppelinServer extends Application { LOG.info("Starting zeppelin server"); try { jettyWebServer.start(); //Instantiates ZeppelinServer + if (conf.getJettyName() != null) { + org.eclipse.jetty.http.HttpGenerator.setJettyVersion(conf.getJettyName()); + } } catch (Exception e) { LOG.error("Error while running jettyServer", e); System.exit(-1); http://git-wip-us.apache.org/repos/asf/zeppelin/blob/62aec9fb/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java ---------------------------------------------------------------------- diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java index 4331b72..66beb48 100644 --- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java +++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java @@ -498,6 +498,10 @@ public class ZeppelinConfiguration extends XMLConfiguration { return getString(ConfVars.ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE); } + public String getJettyName() { + return getString(ConfVars.ZEPPELIN_SERVER_JETTY_NAME); + } + public Map<String, String> dumpConfigurations(ZeppelinConfiguration conf, ConfigurationKeyPredicate predicate) { Map<String, String> configurations = new HashMap<>(); @@ -646,7 +650,8 @@ public class ZeppelinConfiguration extends XMLConfiguration { ZEPPELIN_ANONYMOUS_ALLOWED("zeppelin.anonymous.allowed", true), ZEPPELIN_CREDENTIALS_PERSIST("zeppelin.credentials.persist", true), ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "1024000"), - ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false); + ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false), + ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null); private String varName; @SuppressWarnings("rawtypes")
