Skip to content

Commit 61e857d

Browse files
djoelz-tssrdjoelz-tssr
committed
Fixing Rest request lack of Origin validation bug, Added tests that use Mockito (unit test framework) and forces the servlet to use version 3.0 instead of 2.5
1 parent 08ff369 commit 61e857d

File tree

4 files changed

+24
-13
lines changed

4 files changed

+24
-13
lines changed

zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
package org.apache.zeppelin.server;
1919

2020
import java.io.IOException;
21+
import java.net.URI;
2122
import java.text.DateFormat;
2223
import java.util.Date;
2324
import java.util.Locale;
@@ -40,21 +41,28 @@ public class CorsFilter implements Filter {
4041
@Override
4142
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
4243
throws IOException, ServletException {
44+
String sourceHost = request.getServerName();
45+
String currentHost = java.net.InetAddress.getLocalHost().getHostName();
46+
String origin = "";
47+
if (currentHost.equals(sourceHost) || "localhost".equals(sourceHost)) {
48+
origin = ((HttpServletRequest) request).getHeader("Origin");
49+
}
50+
4351
if (((HttpServletRequest) request).getMethod().equals("OPTIONS")) {
4452
HttpServletResponse resp = ((HttpServletResponse) response);
45-
addCorsHeaders(resp);
53+
addCorsHeaders(resp, origin);
4654
return;
4755
}
4856

4957
if (response instanceof HttpServletResponse) {
5058
HttpServletResponse alteredResponse = ((HttpServletResponse) response);
51-
addCorsHeaders(alteredResponse);
59+
addCorsHeaders(alteredResponse, origin);
5260
}
5361
filterChain.doFilter(request, response);
5462
}
5563

56-
private void addCorsHeaders(HttpServletResponse response) {
57-
response.addHeader("Access-Control-Allow-Origin", "*");
64+
private void addCorsHeaders(HttpServletResponse response, String origin) {
65+
response.addHeader("Access-Control-Allow-Origin", origin);
5866
response.addHeader("Access-Control-Allow-Credentials", "true");
5967
response.addHeader("Access-Control-Allow-Headers", "authorization,Content-Type");
6068
response.addHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, HEAD, DELETE");

zeppelin-server/src/test/java/org/apache/zeppelin/socket/NotebookServerTests.java

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -19,14 +19,9 @@
1919
*/
2020
package org.apache.zeppelin.socket;
2121

22-
import org.apache.zeppelin.notebook.Note;
23-
import org.apache.zeppelin.server.ZeppelinServer;
2422
import org.junit.Assert;
25-
import org.junit.FixMethodOrder;
2623
import org.junit.Test;
27-
import org.junit.runners.MethodSorters;
2824

29-
import java.io.IOException;
3025
import java.net.UnknownHostException;
3126

3227
/**
@@ -50,4 +45,6 @@ public void CheckInvalidOrigin(){
5045
NotebookServer server = new NotebookServer();
5146
Assert.assertFalse(server.checkOrigin(new TestHttpServletRequest(), "http://evillocalhost:8080"));
5247
}
48+
49+
5350
}

zeppelin-server/src/test/java/org/apache/zeppelin/socket/TestHttpServletRequest.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -317,7 +317,7 @@ public String getScheme() {
317317

318318
@Override
319319
public String getServerName() {
320-
return null;
320+
return "localhost";
321321
}
322322

323323
@Override

zeppelin-web/src/WEB-INF/web.xml

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,8 @@
1717
-->
1818

1919
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
20-
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
21-
version="2.5">
20+
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
21+
version="3.0">
2222

2323
<display-name>zeppelin-web</display-name>
2424
<servlet>
@@ -30,7 +30,6 @@
3030
</init-param>
3131
<load-on-startup>1</load-on-startup>
3232
</servlet>
33-
3433
<!-- This route is for swagger, must be different than root -->
3534
<servlet-mapping>
3635
<servlet-name>default</servlet-name>
@@ -41,4 +40,11 @@
4140
<param-name>configuration</param-name>
4241
<param-value>deployment</param-value>
4342
</context-param>
43+
44+
<session-config>
45+
<cookie-config>
46+
<http-only>true</http-only>
47+
<secure>true</secure>
48+
</cookie-config>
49+
</session-config>
4450
</web-app>

0 commit comments

Comments
 (0)