diff --git a/kms/config/webserver/ranger-kms-site.xml b/kms/config/webserver/ranger-kms-site.xml
index 8b72cc2b79..13e7ee34ba 100644
--- a/kms/config/webserver/ranger-kms-site.xml
+++ b/kms/config/webserver/ranger-kms-site.xml
@@ -12,67 +12,66 @@
limitations under the License. See accompanying LICENSE file.
-->
-
-
- ranger.service.host
- localhost
-
+
+ ranger.service.host
+ localhost
+
+
+
+ ranger.service.http.port
+ 9292
+
+
+
+ ranger.service.shutdown.port
+ 7085
+
+
+
+ ranger.contextName
+ /
+
-
- ranger.service.http.port
- 9292
-
-
-
- ranger.service.shutdown.port
- 7085
-
-
-
- ranger.contextName
- /kms
-
-
-
- xa.webapp.dir
- ./webapp
-
-
- ranger.service.https.port
- 9393
-
-
- ranger.service.https.attrib.ssl.enabled
- false
-
-
- ajp.enabled
- false
-
-
- ranger.service.https.attrib.client.auth
- want
-
-
- ranger.credential.provider.path
- /etc/ranger/kms/rangerkms.jceks
-
-
- ranger.service.https.attrib.keystore.file
-
-
-
- ranger.service.https.attrib.keystore.keyalias
- rangerkms
-
-
- ranger.service.https.attrib.keystore.pass
-
-
-
- ranger.service.https.attrib.keystore.credential.alias
- keyStoreCredentialAlias
-
+
+ xa.webapp.dir
+ ./webapp
+
+
+ ranger.service.https.port
+ 9393
+
+
+ ranger.service.https.attrib.ssl.enabled
+ false
+
+
+ ajp.enabled
+ false
+
+
+ ranger.service.https.attrib.client.auth
+ want
+
+
+ ranger.credential.provider.path
+ /etc/ranger/kms/rangerkms.jceks
+
+
+ ranger.service.https.attrib.keystore.file
+
+
+
+ ranger.service.https.attrib.keystore.keyalias
+ rangerkms
+
+
+ ranger.service.https.attrib.keystore.pass
+
+
+
+ ranger.service.https.attrib.keystore.credential.alias
+ keyStoreCredentialAlias
+
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/HSTSFilter.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/HSTSFilter.java
new file mode 100644
index 0000000000..e8e3405b2f
--- /dev/null
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/HSTSFilter.java
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.hadoop.crypto.key.kms.server;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+
+public class HSTSFilter implements Filter {
+
+ static final Logger LOG = LoggerFactory.getLogger(HSTSFilter.class);
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ // Initialization logic if needed
+ }
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+ throws IOException, ServletException {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("===> HSTSFilter:doFilter()");
+ }
+ String path = ((HttpServletRequest) request).getRequestURI();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> HSTSFilter:doFilter() path = " + path);
+ }
+ HttpServletResponse resp = (HttpServletResponse) response;
+ resp.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload");
+ chain.doFilter(request, response);
+ }
+
+ @Override
+ public void destroy() {
+ // Cleanup logic if needed
+ }
+}
diff --git a/kms/src/main/webapp/WEB-INF/web.xml b/kms/src/main/webapp/WEB-INF/web.xml
index c3a35bc297..617a27dc0c 100644
--- a/kms/src/main/webapp/WEB-INF/web.xml
+++ b/kms/src/main/webapp/WEB-INF/web.xml
@@ -18,56 +18,66 @@
- ranger-kms
-
-
-
- org.apache.hadoop.crypto.key.kms.server.KMSWebApp
-
-
-
- webservices-driver
- com.sun.jersey.spi.container.servlet.ServletContainer
-
- com.sun.jersey.config.property.packages
- org.apache.hadoop.crypto.key.kms.server
-
- 1
-
-
-
- jmx-servlet
- org.apache.hadoop.crypto.key.kms.server.KMSJMXServlet
-
-
-
- webservices-driver
- /*
-
-
-
- jmx-servlet
- /jmx
-
-
-
- authFilter
- org.apache.hadoop.crypto.key.kms.server.KMSAuthenticationFilter
-
-
-
- MDCFilter
- org.apache.hadoop.crypto.key.kms.server.KMSMDCFilter
-
-
-
- authFilter
- /*
-
-
-
- MDCFilter
- /*
-
+ ranger-kms
+
+
+
+ org.apache.hadoop.crypto.key.kms.server.KMSWebApp
+
+
+
+ webservices-driver
+ com.sun.jersey.spi.container.servlet.ServletContainer
+
+ com.sun.jersey.config.property.packages
+ org.apache.hadoop.crypto.key.kms.server
+
+ 1
+
+
+
+ jmx-servlet
+ org.apache.hadoop.crypto.key.kms.server.KMSJMXServlet
+
+
+
+ webservices-driver
+ /kms/*
+
+
+
+ jmx-servlet
+ /jmx
+
+
+
+ authFilter
+ org.apache.hadoop.crypto.key.kms.server.KMSAuthenticationFilter
+
+
+
+ MDCFilter
+ org.apache.hadoop.crypto.key.kms.server.KMSMDCFilter
+
+
+
+ HSTSFilter
+ org.apache.hadoop.crypto.key.kms.server.HSTSFilter
+
+
+
+ authFilter
+ /kms/*
+
+
+
+ MDCFilter
+ /kms/*
+
+
+
+ HSTSFilter
+ /*
+