Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nifi/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml

264 lines
10 KiB
XML
Raw Normal View History

Initial code contribution
2014-12-08 15:22:14 -05:00
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
NIFI-6323 Changed URLs for repositories, project description, and mailing lists to use HTTPS. NIFI-6323 Changed URLs for splunk.artifactoryonline.com to use HTTPS (certificate validity warning in browsers, but command-line connection using openssl s_client is successful). NIFI-6323 Changed URLs for XMLNS schema locations to use HTTPS (the XMLNS and schema identifier remain http:// because they are not designed to be resolvable). NIFI-6323 Fixed Maven XML schema descriptor URLs. This closes #3497
2019-05-28 20:14:09 -04:00
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
Initial code contribution
2014-12-08 15:22:14 -05:00
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.apache.nifi</groupId>
NIFI-270 Made all changes identified by adam, mark, joey to prep for a cleaner build
2015-01-21 01:47:48 -05:00
<artifactId>nifi-web</artifactId>
NIFI-9780-RC3 prepare for next development iteration
2022-03-21 14:58:27 -04:00
<version>1.17.0-SNAPSHOT</version>
Initial code contribution
2014-12-08 15:22:14 -05:00
</parent>
NIFI-270 Made all changes identified by adam, mark, joey to prep for a cleaner build
2015-01-21 01:47:48 -05:00
<artifactId>nifi-web-security</artifactId>
NIFI-655: - Refactoring web security to use Spring Security Java Configuration. - Introducing security in Web UI in order to get JWT. NIFI-655: - Setting up the resources (js/css) for the login page. NIFI-655: - Adding support for configuring anonymous roles. - Addressing checkstyle violations. NIFI-655: - Moving to token api to web-api. - Creating an LoginProvider API for user/pass based authentication. - Creating a module for funneling access to the authorized useres. NIFI-655: - Moving away from usage of DN to identity throughout the application (from the user db to the authorization provider). - Updating the authorized users schema to support login users. - Creating an extension point for authentication of users based on username/password. NIFI-655: - Creating an endpoint for returning the identity of the current user. - Updating the LoginAuthenticationFilter. NIFI-655: - Moving NiFi registration to the login page. - Running the authentication filters in a different order to ensure we can disambiguate each case. - Starting to layout each case... Forbidden, Login, Create User, Create NiFi Account. NIFI-655: - Addressing checkstyle issues. NIFI-655: - Making nf-storage available in the login page. - Requiring use of local storage. - Ignoring security for GET requests when obtaining the login configuration. NIFI-655: - Adding a new endpoint to obtain the status of a user registration. - Updated the login page loading to ensure all possible states work. NIFI-655: - Ensuring we know the necessary state before we attempt to render the login page. - Building the proxy chain in the JWT authentication filter. - Only rendering the login when appropriate. NIFI-655: - Starting to style the login page. - Added simple 'login' support by identifying username/password. Issuing JWT token coming... - Added logout support - Rendering the username when appropriate. NIFI-655: - Extracting certificate validation into a utility class. - Fixing checkstyle issues. - Cleaning up the web security context. - Removing proxy chain checking where possible. NIFI-655: - Starting to add support for registration. - Creating registration form. NIFI-655: - Starting to implement the JWT service. - Parsing JWT on client side in order to render who the user currently is when logged in. NIFI-655: - Allowing the user to link back to the log in page from the new account page. - Renaming DN to identity where possible. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding more/better support for logging out. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding a few new exceptions for the login identity provider. NIFI-655: - Disabling log in by default initially. - Restoring authorization service unit test. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Updating packages for log in filters. - Handling new registration exceptions. - Code clean up. NIFI-655: - Removing registration support. - Removing file based implementation. NIFI-655: - Removing file based implementation. NIFI-655: - Removing unused spring configuration files. NIFI-655: - Making the auto wiring more explicit. NIFI-655: - Removing unused dependencies. NIFI-655: - Removing unused filter. NIFI-655: - Updating the login API authenticate method to use a richer set of exceptions. - UI code clean. NIFI-655: - Ensuring the login identity provider is able to switch context classloaders via the standard NAR mechanisms. NIFI-655: - Initial commit of the LDAP based identity providers. - Fixed issue when attempting to log into a NiFi that does not support new account requests. NIFI-655: - Allowing the ldap provider to specify if client authentication is required/desired. NIFI-655: - Persisting keys to sign user tokens. - Allowing the identity provider to specify the token expiration. - Code clean up. NIFI-655: - Ensuring identities are unique in the key table. NIFI-655: - Adding support for specifying the user search base and user search filter in the active directory provider. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding automatic client side token renewal. NIFI-655: - Ensuring the logout link is rendered when appropriate. NIFI-655: - Adding configuration options for referrals and connect/read timeouts NIFI-655: - Added an endpoint for access details including configuration, creating tokens, and checking status. - Updated DTOs and client side to utilize new endpoints. NIFI-655: - Refactoring certificate extraction and validation. - Refactoring how expiration is specified in the login identity providers. - Adding unit tests for the access endpoints. - Code clean up. NIFI-655: - Keeping token expiration between 1 minute and 12 hours. NIFI-655: - Using the user identity provided by the login identity provider. NIFI-655: - Fixed typo in error message for unrecognized authentication strategy. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655. - Added logback-test.xml configuration resource for nifi-web-security. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655. - Added issuer field to LoginAuthenticationToken. - Updated AccessResource to pass identity provider class name when creating LoginAuthenticationTokens. - Began refactoring JWT logic from request parsing logic in JwtService. - Added unit tests for JWT logic. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655. - Changed issuer field to use FQ class name because some classes return an empty string for getSimpleName(). - Finished refactoring JWT logic from request parsing logic in JwtService. - Updated AccessResource and JwtAuthenticationFilter to call new JwtService methods decoupled from request header parsing. - Added extensive unit tests for JWT logic. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655: - Refactoring key service to expose the key id. - Handling client side expiration better. - Removing specialized active directory provider and abstract ldap provider. NIFI-655. - Updated JwtService and JwtServiceTest to use Key POJO instead of raw String key from KeyService. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655: - Fixing typo when loading the ldap connect timeout. - Providing a better experience for session expiration. - Using ellipsis for lengthly user name. - Adding an issuer to the authentication response so the LIP can specify the appropriate value. NIFI-655: - Showing a logging in notification during the log in process. NIFI-655: - Removing unnecessary class. NIFI-655: - Fixing checkstyle issues. - Showing the progress spinner while submitting account justification. NIFI-655: - Removing deprecated authentication strategy. - Renaming TLS to START_TLS. - Allowing the protocol to be configured. NIFI-655: - Fixing issue detecting the presence of DN column NIFI-655: - Pre-populating the login-identity-providers.xml file with necessary properties and documentation. - Renaming the Authentication Duration property name. NIFI-655: - Updating documentation for the failure response codes. NIFI-655: - Ensuring the user identity is not too long. NIFI-655: - Updating default authentication expiration to 12 hours. NIFI-655: - Remaining on the login form when there is any unsuccessful login attempt. - Fixing checkstyle issues.
2015-10-07 13:33:34 -04:00
<build>
<resources>
<resource>
<directory>src/main/resources</directory>
</resource>
<resource>
<directory>src/main/xsd</directory>
</resource>
</resources>
<plugins>
NIFI-6085 - Added /access/logout endpoint to allow JWT auth tokens to be removed correctly. Added some tests. Found an error in the KeyDAO which did not allow key deletion. NIFI-6085 - Updated logOut method to use NiFiUserUtils and updated tests. NIFI-6085 - Added some more integration tests. NIFI-6085 Suppressed stacktrace when token is used after being invalidated. This closes #3362. Signed-off-by: Andy LoPresto <alopresto@apache.org>
2019-03-08 16:53:11 -05:00
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>test-jar</goal>
</goals>
</execution>
</executions>
</plugin>
NIFI-655: - Refactoring web security to use Spring Security Java Configuration. - Introducing security in Web UI in order to get JWT. NIFI-655: - Setting up the resources (js/css) for the login page. NIFI-655: - Adding support for configuring anonymous roles. - Addressing checkstyle violations. NIFI-655: - Moving to token api to web-api. - Creating an LoginProvider API for user/pass based authentication. - Creating a module for funneling access to the authorized useres. NIFI-655: - Moving away from usage of DN to identity throughout the application (from the user db to the authorization provider). - Updating the authorized users schema to support login users. - Creating an extension point for authentication of users based on username/password. NIFI-655: - Creating an endpoint for returning the identity of the current user. - Updating the LoginAuthenticationFilter. NIFI-655: - Moving NiFi registration to the login page. - Running the authentication filters in a different order to ensure we can disambiguate each case. - Starting to layout each case... Forbidden, Login, Create User, Create NiFi Account. NIFI-655: - Addressing checkstyle issues. NIFI-655: - Making nf-storage available in the login page. - Requiring use of local storage. - Ignoring security for GET requests when obtaining the login configuration. NIFI-655: - Adding a new endpoint to obtain the status of a user registration. - Updated the login page loading to ensure all possible states work. NIFI-655: - Ensuring we know the necessary state before we attempt to render the login page. - Building the proxy chain in the JWT authentication filter. - Only rendering the login when appropriate. NIFI-655: - Starting to style the login page. - Added simple 'login' support by identifying username/password. Issuing JWT token coming... - Added logout support - Rendering the username when appropriate. NIFI-655: - Extracting certificate validation into a utility class. - Fixing checkstyle issues. - Cleaning up the web security context. - Removing proxy chain checking where possible. NIFI-655: - Starting to add support for registration. - Creating registration form. NIFI-655: - Starting to implement the JWT service. - Parsing JWT on client side in order to render who the user currently is when logged in. NIFI-655: - Allowing the user to link back to the log in page from the new account page. - Renaming DN to identity where possible. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding more/better support for logging out. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding a few new exceptions for the login identity provider. NIFI-655: - Disabling log in by default initially. - Restoring authorization service unit test. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Updating packages for log in filters. - Handling new registration exceptions. - Code clean up. NIFI-655: - Removing registration support. - Removing file based implementation. NIFI-655: - Removing file based implementation. NIFI-655: - Removing unused spring configuration files. NIFI-655: - Making the auto wiring more explicit. NIFI-655: - Removing unused dependencies. NIFI-655: - Removing unused filter. NIFI-655: - Updating the login API authenticate method to use a richer set of exceptions. - UI code clean. NIFI-655: - Ensuring the login identity provider is able to switch context classloaders via the standard NAR mechanisms. NIFI-655: - Initial commit of the LDAP based identity providers. - Fixed issue when attempting to log into a NiFi that does not support new account requests. NIFI-655: - Allowing the ldap provider to specify if client authentication is required/desired. NIFI-655: - Persisting keys to sign user tokens. - Allowing the identity provider to specify the token expiration. - Code clean up. NIFI-655: - Ensuring identities are unique in the key table. NIFI-655: - Adding support for specifying the user search base and user search filter in the active directory provider. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding automatic client side token renewal. NIFI-655: - Ensuring the logout link is rendered when appropriate. NIFI-655: - Adding configuration options for referrals and connect/read timeouts NIFI-655: - Added an endpoint for access details including configuration, creating tokens, and checking status. - Updated DTOs and client side to utilize new endpoints. NIFI-655: - Refactoring certificate extraction and validation. - Refactoring how expiration is specified in the login identity providers. - Adding unit tests for the access endpoints. - Code clean up. NIFI-655: - Keeping token expiration between 1 minute and 12 hours. NIFI-655: - Using the user identity provided by the login identity provider. NIFI-655: - Fixed typo in error message for unrecognized authentication strategy. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655. - Added logback-test.xml configuration resource for nifi-web-security. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655. - Added issuer field to LoginAuthenticationToken. - Updated AccessResource to pass identity provider class name when creating LoginAuthenticationTokens. - Began refactoring JWT logic from request parsing logic in JwtService. - Added unit tests for JWT logic. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655. - Changed issuer field to use FQ class name because some classes return an empty string for getSimpleName(). - Finished refactoring JWT logic from request parsing logic in JwtService. - Updated AccessResource and JwtAuthenticationFilter to call new JwtService methods decoupled from request header parsing. - Added extensive unit tests for JWT logic. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655: - Refactoring key service to expose the key id. - Handling client side expiration better. - Removing specialized active directory provider and abstract ldap provider. NIFI-655. - Updated JwtService and JwtServiceTest to use Key POJO instead of raw String key from KeyService. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655: - Fixing typo when loading the ldap connect timeout. - Providing a better experience for session expiration. - Using ellipsis for lengthly user name. - Adding an issuer to the authentication response so the LIP can specify the appropriate value. NIFI-655: - Showing a logging in notification during the log in process. NIFI-655: - Removing unnecessary class. NIFI-655: - Fixing checkstyle issues. - Showing the progress spinner while submitting account justification. NIFI-655: - Removing deprecated authentication strategy. - Renaming TLS to START_TLS. - Allowing the protocol to be configured. NIFI-655: - Fixing issue detecting the presence of DN column NIFI-655: - Pre-populating the login-identity-providers.xml file with necessary properties and documentation. - Renaming the Authentication Duration property name. NIFI-655: - Updating documentation for the failure response codes. NIFI-655: - Ensuring the user identity is not too long. NIFI-655: - Updating default authentication expiration to 12 hours. NIFI-655: - Remaining on the login form when there is any unsuccessful login attempt. - Fixing checkstyle issues.
2015-10-07 13:33:34 -04:00
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>jaxb2-maven-plugin</artifactId>
<executions>
<execution>
<id>current</id>
<goals>
<goal>xjc</goal>
</goals>
<configuration>
<packageName>org.apache.nifi.authentication.generated</packageName>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<configuration>
<excludes>**/authentication/generated/*.java,</excludes>
</configuration>
NIFI-1257 NIFI-1259 Added utility method to return the maximum acceptable password length for PBE ciphers on JVM with limited strength crypto because BC implementation is undocumented (based on empirical evidence). Updated EncryptionMethod definitions to accurately reflect need for unlimited strength crypto according to algorithm key length. Added processor logic to invoke keyed cipher. Added EncryptContent processor property for raw hex key (always visible until NIFI-1121). Added validations for KDF (keyed and PBE) and hex key. Added utility method to return list of valid key lengths for algorithm. Added description to allowable values for KDF and encryption method in EncryptContent processor. Added IV read/write to KeyedCipherProvider and changed from interface to abstract class. Added salt read/write logic to NifiLegacy and OpenSSL cipher providers. Changed RandomIVPBECipherProvider from interface to abstract class. Updated strong KDF implementations. Renamed CipherFactory to CipherProviderFactory. Added unit test for registered KDF resolution from factory. Updated default iteration count for PBKDF2 cipher provider. Implemented Scrypt cipher provider. Added salt translator from mcrypt format to Java format. Added unit tests for salt formatting and validation. Added surefire block to groovy unit test profile to enforce 3072 MB heap for Scrypt test. Added local Java implementation of Scrypt KDF (and underlying PBKDF2 KDF) from Will Glozer. Defined interface for KeyedCipherProvider. Implemented AES implementation for KeyedCipherProvider. Added Ruby script to test/resources for external compatibility check. Added key length check to PBKDF2 cipher provider. Changed default PRF to SHA-512. Added salt and key length check to PBKDF2 cipher provider. Added utility method to check key length validity for cipher families. Added Bcrypt implementation. Implemented PBKDF2 cipher provider. Added default constructor with strong choices for PBKDF2 cipher provider. Implemented NiFiLegacyCipherProvider and added unit tests. Added key length parameter to PBKDF2 cipher provider. Added PRF resolution to PBKDF2 cipher provider. Added RandomIVPBECipherProvider to allow for non-deterministic IVs. Added new keyed encryption methods and added boolean field for compatibility with new KDFs. Added CipherFactory. Improved Javadoc in NiFi legacy cipher provider and OpenSSL cipher provider. Added KeyedCipherProvider interface. Added OpenSSL PKCS#5 v1.5 EVP_BytesToKey cipher provider and unit test. This closes #201. Signed-off-by: Aldrin Piri <aldrin@apache.org>
2015-12-22 13:12:02 -05:00
</plugin>
NIFI-7888 Added support for authenticating via SAML - Add dependency on spring-security-saml2-core - Updated AccessResource with new SAML end-points - Updated Login/Logout filters to handle SAML scenario - Updated logout process to track a logout request using a cookie - Added database storage for cached SAML credential and user groups - Updated proxied requests when clustered to send IDP groups in a header - Updated X509 filter to process the IDP groups from the header if present - Updated admin guide - Fixed logout action on error page - Updated UserGroupProvider with a default method for getGroupByName - Updated StandardManagedAuthorizer to combine groups from request with groups from lookup - Updated UserGroupProvider implementations with more efficient impl of getGroupByName - Added/updated unit tests - Ensure signing algorithm is applied to all signatures and not just metadata signatures - Added property to specify signature digest algorithm - Added option to specify whether JDK truststore or NiFi's truststore should be used when connecting to IDP over https - Added properties to configure connect and read timeouts for http client - Added URL encoding of issuer when generating JWT to prevent potential issue with the frontend performing base64 decoding - Made atomic replace methods for storing groups and saml credential in database - Added properties to control AuthnRequestsSigned and WantAssertionsSigned in the generated service provider metadata - Dynamically determine the private key alias from the keystore and remove the property for specifying the signing key alias - Fixed unit test - Added property to specify an optional identity attribute which would be used instead of NameID - Cleaned up logging - Fallback to keystore password when key password is blank - Make signature and digest default to SHA-256 when no value provided in nifi.properties This closes #4614
2020-09-15 15:53:32 -04:00
<plugin>
<groupId>org.apache.rat</groupId>
<artifactId>apache-rat-plugin</artifactId>
<configuration>
<excludes combine.children="append">
<exclude>src/test/resources/saml/sso-circle-meta.xml</exclude>
</excludes>
</configuration>
</plugin>
NIFI-655: - Refactoring web security to use Spring Security Java Configuration. - Introducing security in Web UI in order to get JWT. NIFI-655: - Setting up the resources (js/css) for the login page. NIFI-655: - Adding support for configuring anonymous roles. - Addressing checkstyle violations. NIFI-655: - Moving to token api to web-api. - Creating an LoginProvider API for user/pass based authentication. - Creating a module for funneling access to the authorized useres. NIFI-655: - Moving away from usage of DN to identity throughout the application (from the user db to the authorization provider). - Updating the authorized users schema to support login users. - Creating an extension point for authentication of users based on username/password. NIFI-655: - Creating an endpoint for returning the identity of the current user. - Updating the LoginAuthenticationFilter. NIFI-655: - Moving NiFi registration to the login page. - Running the authentication filters in a different order to ensure we can disambiguate each case. - Starting to layout each case... Forbidden, Login, Create User, Create NiFi Account. NIFI-655: - Addressing checkstyle issues. NIFI-655: - Making nf-storage available in the login page. - Requiring use of local storage. - Ignoring security for GET requests when obtaining the login configuration. NIFI-655: - Adding a new endpoint to obtain the status of a user registration. - Updated the login page loading to ensure all possible states work. NIFI-655: - Ensuring we know the necessary state before we attempt to render the login page. - Building the proxy chain in the JWT authentication filter. - Only rendering the login when appropriate. NIFI-655: - Starting to style the login page. - Added simple 'login' support by identifying username/password. Issuing JWT token coming... - Added logout support - Rendering the username when appropriate. NIFI-655: - Extracting certificate validation into a utility class. - Fixing checkstyle issues. - Cleaning up the web security context. - Removing proxy chain checking where possible. NIFI-655: - Starting to add support for registration. - Creating registration form. NIFI-655: - Starting to implement the JWT service. - Parsing JWT on client side in order to render who the user currently is when logged in. NIFI-655: - Allowing the user to link back to the log in page from the new account page. - Renaming DN to identity where possible. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding more/better support for logging out. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding a few new exceptions for the login identity provider. NIFI-655: - Disabling log in by default initially. - Restoring authorization service unit test. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Updating packages for log in filters. - Handling new registration exceptions. - Code clean up. NIFI-655: - Removing registration support. - Removing file based implementation. NIFI-655: - Removing file based implementation. NIFI-655: - Removing unused spring configuration files. NIFI-655: - Making the auto wiring more explicit. NIFI-655: - Removing unused dependencies. NIFI-655: - Removing unused filter. NIFI-655: - Updating the login API authenticate method to use a richer set of exceptions. - UI code clean. NIFI-655: - Ensuring the login identity provider is able to switch context classloaders via the standard NAR mechanisms. NIFI-655: - Initial commit of the LDAP based identity providers. - Fixed issue when attempting to log into a NiFi that does not support new account requests. NIFI-655: - Allowing the ldap provider to specify if client authentication is required/desired. NIFI-655: - Persisting keys to sign user tokens. - Allowing the identity provider to specify the token expiration. - Code clean up. NIFI-655: - Ensuring identities are unique in the key table. NIFI-655: - Adding support for specifying the user search base and user search filter in the active directory provider. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding automatic client side token renewal. NIFI-655: - Ensuring the logout link is rendered when appropriate. NIFI-655: - Adding configuration options for referrals and connect/read timeouts NIFI-655: - Added an endpoint for access details including configuration, creating tokens, and checking status. - Updated DTOs and client side to utilize new endpoints. NIFI-655: - Refactoring certificate extraction and validation. - Refactoring how expiration is specified in the login identity providers. - Adding unit tests for the access endpoints. - Code clean up. NIFI-655: - Keeping token expiration between 1 minute and 12 hours. NIFI-655: - Using the user identity provided by the login identity provider. NIFI-655: - Fixed typo in error message for unrecognized authentication strategy. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655. - Added logback-test.xml configuration resource for nifi-web-security. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655. - Added issuer field to LoginAuthenticationToken. - Updated AccessResource to pass identity provider class name when creating LoginAuthenticationTokens. - Began refactoring JWT logic from request parsing logic in JwtService. - Added unit tests for JWT logic. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655. - Changed issuer field to use FQ class name because some classes return an empty string for getSimpleName(). - Finished refactoring JWT logic from request parsing logic in JwtService. - Updated AccessResource and JwtAuthenticationFilter to call new JwtService methods decoupled from request header parsing. - Added extensive unit tests for JWT logic. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655: - Refactoring key service to expose the key id. - Handling client side expiration better. - Removing specialized active directory provider and abstract ldap provider. NIFI-655. - Updated JwtService and JwtServiceTest to use Key POJO instead of raw String key from KeyService. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655: - Fixing typo when loading the ldap connect timeout. - Providing a better experience for session expiration. - Using ellipsis for lengthly user name. - Adding an issuer to the authentication response so the LIP can specify the appropriate value. NIFI-655: - Showing a logging in notification during the log in process. NIFI-655: - Removing unnecessary class. NIFI-655: - Fixing checkstyle issues. - Showing the progress spinner while submitting account justification. NIFI-655: - Removing deprecated authentication strategy. - Renaming TLS to START_TLS. - Allowing the protocol to be configured. NIFI-655: - Fixing issue detecting the presence of DN column NIFI-655: - Pre-populating the login-identity-providers.xml file with necessary properties and documentation. - Renaming the Authentication Duration property name. NIFI-655: - Updating documentation for the failure response codes. NIFI-655: - Ensuring the user identity is not too long. NIFI-655: - Updating default authentication expiration to 12 hours. NIFI-655: - Remaining on the login form when there is any unsuccessful login attempt. - Fixing checkstyle issues.
2015-10-07 13:33:34 -04:00
</plugins>
</build>
NIFI-5176 NiFI builds on Java 11 Added "jigsaw" profile to multiple modules, which auto-activates when building with Java 11 and adds several dependencies: jaxb, activation, and annotation-api. Updated SslContextFactory to return tuple of socket factory with trust manager for issue with okhttp api changes in java 9+ Updated TestGet/PostHTTPGroovy to use default SSL context to get default cipher suites Updated StandardTemplateDAOSpec.groovy, was using a 37-character UUID, shortened to 36 characters. Multiple tests updated to specifically use TLSv1.2, since two-way TLSv1.3 for some component tests fail during the Java 11 build. Needs more investigation. Replaced GString with String concatenation for map key's value in ScriptedReportingTaskGroovyTest to avoid runtime error of casting GString to String when retrieved from a map that is storing the GString Removed nifi-toolkit-api plugin configuration of maven-compiler-plugin, it is inherited Resolved deprecation errors during Groovy compile for bouncycastle, Extension should be used in place of X509Extension Fixed JNAOverridingJUnitRunner's creation of the classpath for the custom classloader created to be able to mock jna classes Removed import of IOUtils (from the wrong package) from InferenceSchemaStrategy Updated maven-compiler-plugin version to 3.8.1 TLS (default in Java 11 is TLSv1.3) working for Site-to-Site client tests after upgrading JDK installation to JDK 11.0.3, httpclient5 5.0-beta4, and httpasyncclient 4.1.4 HttpNotificationService updated to find and use the first found X509TrustManager rather than casting directly from the array of TrustManagers returned from SslContextFactory Removed unnecessary throws declaration from getSslSocketFactory method Replaced DnsContextFactory.class.getName() with a string to avoid having to export/open the jdk.naming.dns module Updated TestGetIgniteCache and TestPutIgniteCache.java to skip tests on Java 11+ (via Assume), and noted the check should be removed once a version of Ignite is released that supports Java 11 Updated SpringContextProcessor to create proper ClassLoader and uses URLClassloader.getResource() instead of URLClassloader.findResource() in isConfigResolvable. Due to the application classloader no longer being a URLClassLoader in Java 9+, the URLClassLoader created in isConfigResolvable no longer has explicit access to the parent's resources as URLs. URLClassLoader.getResource() searches the parent classloaders, and must be used instead of URLClassLoader.findResource() which only searches the URLs in the URLClassLoader and does not search the parent classloaders. NIFI-5176 Moved exclusion of jdk.tools to the jigsaw profile in the POMs of nifi-hbase_1_1_2-client-service and nifi-hbase_2-client-service NIFI-5176 Updated site-to-site-client's POM to use properties to establish the correct httpclient dependency for when building with Java 11 This closes #3404.
2018-11-30 13:14:31 -05:00
<profiles>
<profile>
<!-- This profile, activating when compiling on Java versions above 1.8, provides configuration changes to
allow NiFi to be compiled on those JDKs. -->
<id>jigsaw</id>
<activation>
<jdk>(1.8,)</jdk>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>jaxb2-maven-plugin</artifactId>
<executions>
<execution>
<id>current</id>
<configuration>
<skipXjc>true</skipXjc>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.jvnet.jaxb2.maven2</groupId>
<artifactId>maven-jaxb2-plugin</artifactId>
<executions>
<execution>
<id>current</id>
<goals>
<goal>generate</goal>
</goals>
<configuration>
<generatePackage>org.apache.nifi.authentication.generated</generatePackage>
<schemaDirectory>src/main/xsd</schemaDirectory>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
NIFI-9067 Upgraded JAXB Runtime from 2.3.0 to 2.3.5 - Replaced old com.sun.xml.bind:jaxb-impl and jaxb-core with current org.glassfish.jaxb:jaxb-runtime - Replaced old javax.xml.bind:jaxb-api with current jakarta.xml.bind-api - Removed unnecessary dependency references to javax.activation-api This closes #5320 Signed-off-by: Mike Thomsen <mthomsen@apache.org>
2021-08-19 16:42:13 -04:00
<groupId>jakarta.xml.bind</groupId>
<artifactId>jakarta.xml.bind-api</artifactId>
NIFI-5176 NiFI builds on Java 11 Added "jigsaw" profile to multiple modules, which auto-activates when building with Java 11 and adds several dependencies: jaxb, activation, and annotation-api. Updated SslContextFactory to return tuple of socket factory with trust manager for issue with okhttp api changes in java 9+ Updated TestGet/PostHTTPGroovy to use default SSL context to get default cipher suites Updated StandardTemplateDAOSpec.groovy, was using a 37-character UUID, shortened to 36 characters. Multiple tests updated to specifically use TLSv1.2, since two-way TLSv1.3 for some component tests fail during the Java 11 build. Needs more investigation. Replaced GString with String concatenation for map key's value in ScriptedReportingTaskGroovyTest to avoid runtime error of casting GString to String when retrieved from a map that is storing the GString Removed nifi-toolkit-api plugin configuration of maven-compiler-plugin, it is inherited Resolved deprecation errors during Groovy compile for bouncycastle, Extension should be used in place of X509Extension Fixed JNAOverridingJUnitRunner's creation of the classpath for the custom classloader created to be able to mock jna classes Removed import of IOUtils (from the wrong package) from InferenceSchemaStrategy Updated maven-compiler-plugin version to 3.8.1 TLS (default in Java 11 is TLSv1.3) working for Site-to-Site client tests after upgrading JDK installation to JDK 11.0.3, httpclient5 5.0-beta4, and httpasyncclient 4.1.4 HttpNotificationService updated to find and use the first found X509TrustManager rather than casting directly from the array of TrustManagers returned from SslContextFactory Removed unnecessary throws declaration from getSslSocketFactory method Replaced DnsContextFactory.class.getName() with a string to avoid having to export/open the jdk.naming.dns module Updated TestGetIgniteCache and TestPutIgniteCache.java to skip tests on Java 11+ (via Assume), and noted the check should be removed once a version of Ignite is released that supports Java 11 Updated SpringContextProcessor to create proper ClassLoader and uses URLClassloader.getResource() instead of URLClassloader.findResource() in isConfigResolvable. Due to the application classloader no longer being a URLClassLoader in Java 9+, the URLClassLoader created in isConfigResolvable no longer has explicit access to the parent's resources as URLs. URLClassLoader.getResource() searches the parent classloaders, and must be used instead of URLClassLoader.findResource() which only searches the URLs in the URLClassLoader and does not search the parent classloaders. NIFI-5176 Moved exclusion of jdk.tools to the jigsaw profile in the POMs of nifi-hbase_1_1_2-client-service and nifi-hbase_2-client-service NIFI-5176 Updated site-to-site-client's POM to use properties to establish the correct httpclient dependency for when building with Java 11 This closes #3404.
2018-11-30 13:14:31 -05:00
</dependency>
<dependency>
NIFI-9067 Upgraded JAXB Runtime from 2.3.0 to 2.3.5 - Replaced old com.sun.xml.bind:jaxb-impl and jaxb-core with current org.glassfish.jaxb:jaxb-runtime - Replaced old javax.xml.bind:jaxb-api with current jakarta.xml.bind-api - Removed unnecessary dependency references to javax.activation-api This closes #5320 Signed-off-by: Mike Thomsen <mthomsen@apache.org>
2021-08-19 16:42:13 -04:00
<groupId>org.glassfish.jaxb</groupId>
<artifactId>jaxb-runtime</artifactId>
NIFI-5176 NiFI builds on Java 11 Added "jigsaw" profile to multiple modules, which auto-activates when building with Java 11 and adds several dependencies: jaxb, activation, and annotation-api. Updated SslContextFactory to return tuple of socket factory with trust manager for issue with okhttp api changes in java 9+ Updated TestGet/PostHTTPGroovy to use default SSL context to get default cipher suites Updated StandardTemplateDAOSpec.groovy, was using a 37-character UUID, shortened to 36 characters. Multiple tests updated to specifically use TLSv1.2, since two-way TLSv1.3 for some component tests fail during the Java 11 build. Needs more investigation. Replaced GString with String concatenation for map key's value in ScriptedReportingTaskGroovyTest to avoid runtime error of casting GString to String when retrieved from a map that is storing the GString Removed nifi-toolkit-api plugin configuration of maven-compiler-plugin, it is inherited Resolved deprecation errors during Groovy compile for bouncycastle, Extension should be used in place of X509Extension Fixed JNAOverridingJUnitRunner's creation of the classpath for the custom classloader created to be able to mock jna classes Removed import of IOUtils (from the wrong package) from InferenceSchemaStrategy Updated maven-compiler-plugin version to 3.8.1 TLS (default in Java 11 is TLSv1.3) working for Site-to-Site client tests after upgrading JDK installation to JDK 11.0.3, httpclient5 5.0-beta4, and httpasyncclient 4.1.4 HttpNotificationService updated to find and use the first found X509TrustManager rather than casting directly from the array of TrustManagers returned from SslContextFactory Removed unnecessary throws declaration from getSslSocketFactory method Replaced DnsContextFactory.class.getName() with a string to avoid having to export/open the jdk.naming.dns module Updated TestGetIgniteCache and TestPutIgniteCache.java to skip tests on Java 11+ (via Assume), and noted the check should be removed once a version of Ignite is released that supports Java 11 Updated SpringContextProcessor to create proper ClassLoader and uses URLClassloader.getResource() instead of URLClassloader.findResource() in isConfigResolvable. Due to the application classloader no longer being a URLClassLoader in Java 9+, the URLClassLoader created in isConfigResolvable no longer has explicit access to the parent's resources as URLs. URLClassLoader.getResource() searches the parent classloaders, and must be used instead of URLClassLoader.findResource() which only searches the URLs in the URLClassLoader and does not search the parent classloaders. NIFI-5176 Moved exclusion of jdk.tools to the jigsaw profile in the POMs of nifi-hbase_1_1_2-client-service and nifi-hbase_2-client-service NIFI-5176 Updated site-to-site-client's POM to use properties to establish the correct httpclient dependency for when building with Java 11 This closes #3404.
2018-11-30 13:14:31 -05:00
</dependency>
</dependencies>
</profile>
</profiles>
Initial code contribution
2014-12-08 15:22:14 -05:00
<dependencies>
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-administration</artifactId>
</dependency>
NIFI-655: - Refactoring web security to use Spring Security Java Configuration. - Introducing security in Web UI in order to get JWT. NIFI-655: - Setting up the resources (js/css) for the login page. NIFI-655: - Adding support for configuring anonymous roles. - Addressing checkstyle violations. NIFI-655: - Moving to token api to web-api. - Creating an LoginProvider API for user/pass based authentication. - Creating a module for funneling access to the authorized useres. NIFI-655: - Moving away from usage of DN to identity throughout the application (from the user db to the authorization provider). - Updating the authorized users schema to support login users. - Creating an extension point for authentication of users based on username/password. NIFI-655: - Creating an endpoint for returning the identity of the current user. - Updating the LoginAuthenticationFilter. NIFI-655: - Moving NiFi registration to the login page. - Running the authentication filters in a different order to ensure we can disambiguate each case. - Starting to layout each case... Forbidden, Login, Create User, Create NiFi Account. NIFI-655: - Addressing checkstyle issues. NIFI-655: - Making nf-storage available in the login page. - Requiring use of local storage. - Ignoring security for GET requests when obtaining the login configuration. NIFI-655: - Adding a new endpoint to obtain the status of a user registration. - Updated the login page loading to ensure all possible states work. NIFI-655: - Ensuring we know the necessary state before we attempt to render the login page. - Building the proxy chain in the JWT authentication filter. - Only rendering the login when appropriate. NIFI-655: - Starting to style the login page. - Added simple 'login' support by identifying username/password. Issuing JWT token coming... - Added logout support - Rendering the username when appropriate. NIFI-655: - Extracting certificate validation into a utility class. - Fixing checkstyle issues. - Cleaning up the web security context. - Removing proxy chain checking where possible. NIFI-655: - Starting to add support for registration. - Creating registration form. NIFI-655: - Starting to implement the JWT service. - Parsing JWT on client side in order to render who the user currently is when logged in. NIFI-655: - Allowing the user to link back to the log in page from the new account page. - Renaming DN to identity where possible. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding more/better support for logging out. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding a few new exceptions for the login identity provider. NIFI-655: - Disabling log in by default initially. - Restoring authorization service unit test. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Updating packages for log in filters. - Handling new registration exceptions. - Code clean up. NIFI-655: - Removing registration support. - Removing file based implementation. NIFI-655: - Removing file based implementation. NIFI-655: - Removing unused spring configuration files. NIFI-655: - Making the auto wiring more explicit. NIFI-655: - Removing unused dependencies. NIFI-655: - Removing unused filter. NIFI-655: - Updating the login API authenticate method to use a richer set of exceptions. - UI code clean. NIFI-655: - Ensuring the login identity provider is able to switch context classloaders via the standard NAR mechanisms. NIFI-655: - Initial commit of the LDAP based identity providers. - Fixed issue when attempting to log into a NiFi that does not support new account requests. NIFI-655: - Allowing the ldap provider to specify if client authentication is required/desired. NIFI-655: - Persisting keys to sign user tokens. - Allowing the identity provider to specify the token expiration. - Code clean up. NIFI-655: - Ensuring identities are unique in the key table. NIFI-655: - Adding support for specifying the user search base and user search filter in the active directory provider. NIFI-655: - Fixing checkstyle issues. NIFI-655: - Adding automatic client side token renewal. NIFI-655: - Ensuring the logout link is rendered when appropriate. NIFI-655: - Adding configuration options for referrals and connect/read timeouts NIFI-655: - Added an endpoint for access details including configuration, creating tokens, and checking status. - Updated DTOs and client side to utilize new endpoints. NIFI-655: - Refactoring certificate extraction and validation. - Refactoring how expiration is specified in the login identity providers. - Adding unit tests for the access endpoints. - Code clean up. NIFI-655: - Keeping token expiration between 1 minute and 12 hours. NIFI-655: - Using the user identity provided by the login identity provider. NIFI-655: - Fixed typo in error message for unrecognized authentication strategy. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655. - Added logback-test.xml configuration resource for nifi-web-security. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655. - Added issuer field to LoginAuthenticationToken. - Updated AccessResource to pass identity provider class name when creating LoginAuthenticationTokens. - Began refactoring JWT logic from request parsing logic in JwtService. - Added unit tests for JWT logic. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655. - Changed issuer field to use FQ class name because some classes return an empty string for getSimpleName(). - Finished refactoring JWT logic from request parsing logic in JwtService. - Updated AccessResource and JwtAuthenticationFilter to call new JwtService methods decoupled from request header parsing. - Added extensive unit tests for JWT logic. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655: - Refactoring key service to expose the key id. - Handling client side expiration better. - Removing specialized active directory provider and abstract ldap provider. NIFI-655. - Updated JwtService and JwtServiceTest to use Key POJO instead of raw String key from KeyService. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com> NIFI-655: - Fixing typo when loading the ldap connect timeout. - Providing a better experience for session expiration. - Using ellipsis for lengthly user name. - Adding an issuer to the authentication response so the LIP can specify the appropriate value. NIFI-655: - Showing a logging in notification during the log in process. NIFI-655: - Removing unnecessary class. NIFI-655: - Fixing checkstyle issues. - Showing the progress spinner while submitting account justification. NIFI-655: - Removing deprecated authentication strategy. - Renaming TLS to START_TLS. - Allowing the protocol to be configured. NIFI-655: - Fixing issue detecting the presence of DN column NIFI-655: - Pre-populating the login-identity-providers.xml file with necessary properties and documentation. - Renaming the Authentication Duration property name. NIFI-655: - Updating documentation for the failure response codes. NIFI-655: - Ensuring the user identity is not too long. NIFI-655: - Updating default authentication expiration to 12 hours. NIFI-655: - Remaining on the login form when there is any unsuccessful login attempt. - Fixing checkstyle issues.
2015-10-07 13:33:34 -04:00
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-nar-utils</artifactId>
</dependency>
Initial code contribution
2014-12-08 15:22:14 -05:00
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-api</artifactId>
</dependency>
NIFI-1896 This closes #650. Refactored nifi-api into nifi-framework-api and other locations. The nifi-api is specific to that which is needed for intended extension points.
2016-07-13 09:28:19 -04:00
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-framework-api</artifactId>
</dependency>
Initial code contribution
2014-12-08 15:22:14 -05:00
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-web-utils</artifactId>
</dependency>
NIFI-4353 - Added XmlUtils class. - Added unit test. - Added XXE test resource. - Refactored JAXB unmarshalling globally to prevent XXE attacks. - Refactored duplicated/legacy code. - Cleaned up commented code. - Switched from FileInputStream back to StreamSource in AuthorizerFactoryBean. - This closes #2134
2017-09-06 19:45:13 -04:00
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-security-utils</artifactId>
</dependency>
Initial code contribution
2014-12-08 15:22:14 -05:00
<dependency>
<groupId>org.apache.nifi</groupId>
NIFI-270 Made all changes identified by adam, mark, joey to prep for a cleaner build
2015-01-21 01:47:48 -05:00
<artifactId>nifi-framework-core</artifactId>
Initial code contribution
2014-12-08 15:22:14 -05:00
</dependency>
NIFI-1554: - Populating component entities in the REST API to decouple key fields from the configuration DTOs. - Added initial support for components in UI when access isn't allowed. Formal styling to come later.
2016-04-29 14:49:13 -04:00
<dependency>
<groupId>org.apache.nifi</groupId>
<artifactId>nifi-framework-authorization</artifactId>
</dependency>
Initial code contribution
2014-12-08 15:22:14 -05:00
<dependency>
<groupId>org.bouncycastle</groupId>
NIFI-1324: Changed Maven dependencies for BouncyCastle bcprov and bcpg from jdk16:1.46 to jdk15on:1.53 (kept nifi-web-security on jdk16:1.46 because jdk15on:1.53 splits OCSP logic into new module bcpkix). Added individual unit tests for PGP public keyring validation. Passes all legacy unit tests. Added TODOs for customizable brick encryption and refactoring shared code. Cleaned up magic numbers to constants. Added unit tests for OpenPGPPasswordBasedEncryptor (internal consistency and legacy file decrypt). Began refactoring shared encrypt code from OpenPGP* implementations. Extracted encrypt utility method from OpenPGPPasswordBasedEncryptor to PGPUtil class. Added test resources (signed and unsigned key-encrypted files). Added unit tests for OpenPGPKeyBasedEncryptor (internal consistency and external file decrypt). Changed BC dependency for nifi-web-security to bcprov-jdk15on:1.53 and bcpkix-jdk15on:1.53. Updated OCSPValidator to use new BC logic for OCSP validation. This code compiles but should be fully audited, as the legacy OCSP validation was not completely implemented. Added skeleton of OCSP validator unit tests with successful keypair and certificate generation and signing code. Added further unit tests for issued certificates. Annotated unimplemented unit tests with note about Groovy integration. Refactored Jersey call in OCSPCertificateValidator to internal method. Added toString() to NiFi local OcspRequest. Implemented positive & negative unit tests with cache injection for valid/revoked OCSP certificate. Resolved contrib-check issues. Removed ignored code in unit test. Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com>
2015-12-22 22:03:09 -05:00
<artifactId>bcprov-jdk15on</artifactId>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
Initial code contribution
2014-12-08 15:22:14 -05:00
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<scope>provided</scope>
</dependency>
NIFI-7888 Added support for authenticating via SAML - Add dependency on spring-security-saml2-core - Updated AccessResource with new SAML end-points - Updated Login/Logout filters to handle SAML scenario - Updated logout process to track a logout request using a cookie - Added database storage for cached SAML credential and user groups - Updated proxied requests when clustered to send IDP groups in a header - Updated X509 filter to process the IDP groups from the header if present - Updated admin guide - Fixed logout action on error page - Updated UserGroupProvider with a default method for getGroupByName - Updated StandardManagedAuthorizer to combine groups from request with groups from lookup - Updated UserGroupProvider implementations with more efficient impl of getGroupByName - Added/updated unit tests - Ensure signing algorithm is applied to all signatures and not just metadata signatures - Added property to specify signature digest algorithm - Added option to specify whether JDK truststore or NiFi's truststore should be used when connecting to IDP over https - Added properties to configure connect and read timeouts for http client - Added URL encoding of issuer when generating JWT to prevent potential issue with the frontend performing base64 decoding - Made atomic replace methods for storing groups and saml credential in database - Added properties to control AuthnRequestsSigned and WantAssertionsSigned in the generated service provider metadata - Dynamically determine the private key alias from the keystore and remove the property for specifying the signing key alias - Fixed unit test - Added property to specify an optional identity attribute which would be used instead of NameID - Cleaned up logging - Fallback to keystore password when key password is blank - Make signature and digest default to SHA-256 when no value provided in nifi.properties This closes #4614
2020-09-15 15:53:32 -04:00
<dependency>
<groupId>org.springframework.security.extensions</groupId>
<artifactId>spring-security-saml2-core</artifactId>
</dependency>
NIFI-1274 Added Kerberos authentication mechanism. NIFI-1274 Cleaned up TODO statements. (+3 squashed commits) Squashed commits: [fd101cd] Removed logic to check for presence of services to determine if token support is enabled when username/password authentication is enabled (Kerberos also requires tokens). [c2ce29f] Reverted import changes to RulesResource.java. [c269d72] Added Kerberos authentication mechanism. Moved Kerberos service wiring from XML to Java to handle scenario where admin has not configured Kerberos (previously threw NullPointerException in FileSystemResource constructor). (+15 squashed commits) Squashed commits: [09fc694] Added Kerberos documentation to Admin Guide. [ecfb864] Cleaned up unused logic. [157efb3] Added logic to determine if client certificates are required for REST API (login, anonymous, and Kerberos service authentication all disabled). Cleaned up KerberosService by moving logic to NiFiProperties. [5438619] Added documentation for Kerberos login-identity-providers.xml. [3332d9f] Added NiFi properties for Kerberos SSO. [b14a557] Fixed canvas call to only attempt Kerberos login if JWT not present in local storage. Added logic to handle ticket validation failure in AccessResource. Changed wiring of Kerberos service beans to XML in nifi-web-security-context.xml for consistency. [c31ae3d] Kerberos SPNEGO works without additional filter (new entry endpoint accepts Kerberos ticket in Authorization header and returns JWT so the rest of the application functions the same as LDAP). [98460e7] Added check to only instantiate beans when Kerberos enabled to allow access control integration tests to pass. [6ed0724] Renamed Kerberos discovery method to be explicit about service vs. credential login. [ed67d2e] Removed temporary solution for Rules Resource access via Kerberos ticket. [c8b2b01] Added temporary solution for Rules Resource access via Kerberos ticket. [81ca80f] NIFI-1274 Added KerberosAuthenticationFilter to conduct SPNEGO authentication with local (client) Kerberos ticket. Added properties and accessors for service principal and keytab location for NiFi app server. Added KAF to NiFiWebApiSecurityConfiguration. Added AlternateKerberosUserDetailsService to provide user lookup without dependency on extension bundle (nifi-kerberos-iaa-provider). Added dependencies on spring-security-kerberos-core and -web modules to pom.xml. [0605ba8] Added working configuration files to test/resources in kerberos module to document necessary config. This version requires the user to enter their Kerberos username (without realm) and password into the NiFi login screen and will authenticate them against the running KDC. Also includes a sample keystore and root CA public key for configuring a secure instance. [49236c8] Added kerberos module dependencies to nifi/pom.xml and nifi-assembly/pom.xml. Added default properties to login-identity-providers.xml. [928c52b] Added nifi-kerberos-iaa-providers-bundle module to nifi/pom.xml. Added skeleton of Kerberos authenticator using Spring Security Kerberos plugin. This closes #284 Signed-off-by: Matt Gilman <matt.c.gilman@gmail.com>
2016-03-11 18:11:19 -05:00
<dependency>
<groupId>org.springframework.security.kerberos</groupId>
<artifactId>spring-security-kerberos-core</artifactId>
</dependency>
NIFI-8766 Implemented RS512 Algorithm for JWT Signing - Replaced per-user symmetric-key HS256 with shared and rotated RSA asymmetric-key RS512 implementation - Added nifi.security.user.jws.key.rotation.period property for RSA Key Pair rotation - Added JSON Web Tokens section to Administration Guide - Implemented persistent storage of RSA Public Keys for verification using Local State Manager - Implemented JWT revocation on logout with persistence using Local State Manager - Refactored JWT implementation using Spring Security OAuth2 and Nimbus JWT - Refactored Spring Security Provider configuration using Java instead of XML - Removed H2 storage of per-user keys - Upgraded nimbus-jose-jwt from 7.9 to 9.11.2 NIFI-8766 Corrected AuthenticationException handling in AccessResource.getAccessStatus - Added nifi.user.security.jws.key.rotation.period to default nifi.properties - Updated logging statements and clarified configuration and method documentation NIFI-8766 Changed Algorithm to PS512 and updated documentation Signed-off-by: Nathan Gough <thenatog@gmail.com> This closes #5262.
2021-07-28 17:45:39 -04:00
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
NIFI-8264 Replaced commons-logging with jcl-over-slf4j in framework modules Signed-off-by: Matthew Burgess <mattyb149@apache.org> This closes #4848
2021-02-25 12:59:03 -05:00
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
</dependency>
NIFI-4210: - Introducing support for OpenId Connect. - Updating REST API and UI to support the authorization code flow. - Adding/fixing documentation. - Implementing time constant equality checks where appropriate. - Corrected error handling during startup and throughout the OIDC login sequence. - Redacting the token values from the user log. - Defaulting to RS256 when not preferred algorithm is specified. - Marking the OIDC endpoints as non-guaranteed in to allow for minor adjustments if/when additional SSO techniques are introduced. This closes #2047. Signed-off-by: Andy LoPresto <alopresto@apache.org>
2017-08-01 10:46:45 -04:00
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>oauth2-oidc-sdk</artifactId>
</dependency>
NIFI-4444: - Upgrading to Jersey 2.x. - Updating NOTICE files where necessary. - Fixing checkstyle issues. This closes #2206. Signed-off-by: Andy LoPresto <alopresto@apache.org>
2017-10-02 17:01:31 -04:00
<dependency>
<groupId>javax.ws.rs</groupId>
<artifactId>javax.ws.rs-api</artifactId>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.core</groupId>
<artifactId>jersey-client</artifactId>
</dependency>
<dependency>
<groupId>org.glassfish.jersey.media</groupId>
<artifactId>jersey-media-json-jackson</artifactId>
</dependency>
NIFI-8766 Implemented RS512 Algorithm for JWT Signing - Replaced per-user symmetric-key HS256 with shared and rotated RSA asymmetric-key RS512 implementation - Added nifi.security.user.jws.key.rotation.period property for RSA Key Pair rotation - Added JSON Web Tokens section to Administration Guide - Implemented persistent storage of RSA Public Keys for verification using Local State Manager - Implemented JWT revocation on logout with persistence using Local State Manager - Refactored JWT implementation using Spring Security OAuth2 and Nimbus JWT - Refactored Spring Security Provider configuration using Java instead of XML - Removed H2 storage of per-user keys - Upgraded nimbus-jose-jwt from 7.9 to 9.11.2 NIFI-8766 Corrected AuthenticationException handling in AccessResource.getAccessStatus - Added nifi.user.security.jws.key.rotation.period to default nifi.properties - Updated logging statements and clarified configuration and method documentation NIFI-8766 Changed Algorithm to PS512 and updated documentation Signed-off-by: Nathan Gough <thenatog@gmail.com> This closes #5262.
2021-07-28 17:45:39 -04:00
<dependency>
<groupId>com.fasterxml.jackson.datatype</groupId>
<artifactId>jackson-datatype-jsr310</artifactId>
<version>${jackson.version}</version>
</dependency>
NIFI-4444: - Upgrading to Jersey 2.x. - Updating NOTICE files where necessary. - Fixing checkstyle issues. This closes #2206. Signed-off-by: Andy LoPresto <alopresto@apache.org>
2017-10-02 17:01:31 -04:00
<dependency>
<groupId>org.codehaus.jettison</groupId>
<artifactId>jettison</artifactId>
<scope>test</scope>
</dependency>
NIFI-5366 - Added ContentSecurityPolicyFilter which stops framing of NiFi resources. It applies the Content-Security-Policy header. This protects against clickjacking. NIFI-5366 - Added unit test. Added single quotes around 'self' for frame-ancestors CSP header. NIFI-5366 - Fixed dependencies. This closes #2989. Signed-off-by: Andy LoPresto <alopresto@apache.org>
2018-08-31 19:50:15 -04:00
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-servlet</artifactId>
<scope>test</scope>
</dependency>
NIFI-5254 Upgraded Groovy to version 2.5.4 Updated pom files regarding groovy dependencies. groovy-all was changed to a pom type dependency Added Groovy Bintray as a plugin repository in root pom Upgraded spock-core to version 1.3-groovy-2.5 and added exclusion of groovy dependencies to force spock to use the version from dependencyManagement Updated groovy-eclipse-batch to use the groovy.version property to determine the version Updated groovy-eclipse-compiler to 3.4.0-01 Updated maven-compiler-plugin to use maven.compiler.source and maven.compiler.target properties for source and target configuration properties Removed configuration and dependencies sections from nifi-toolkit-admin and nifi-toolkit-encrypt-config maven-compiler-plugin configurations so that the configuration from the root pom's maven-compiler-plugin is inherited Removed dependencyManagement from nifi-jetty module, version of groovy modules will be inherited from root pom Removed maven-compiler-plugin configuration from nifi-toolkit-api so that the configuration from the root pom's maven-compiler-plugin is inherited Updated spock-core dependencyManagement to 1.3-groovy-2.5 Fixed AESSensitivePropertyProviderTest issue with Groovy creating KEY_256_HEX slice of the wrong size due to BigDecimal being used as the result of the division; using intdiv to force an integer result creates the correctly sized array Added groovy-json test dependency to nifi-web-security Removed maven-compiler-plugin configuration from nifi-lookup-services, nifi-mock-record-utils, and nifi-web-utils so that the configuration from the root pom's maven-compiler-plugin is inherited Updated root pom pluginManagement to specify version 3.8.0 of maven-compiler-plugin Added maven-compiler-plugin config to nifi-toolkit-admin and nifi-toolkit-encrypt-config to use groovy-eclipse-compiler during the compile phase so that the groovy-based tools are compiled Addressed deprecated CliBuilder and OptionAccessor usage in nifi-toolkit-encrypt-config, those classes were moved from groovy.util to groovy.cli.commons Removed getInner() usage from nifi-toolkit-encrypt-config, method no longer exists causing the tests to crash Updated CryptographicHashAttributeTest to use java.time classes instead of java.util.Date Updated nifi root POM's groovy-test dependency to be test-scoped Added properties for specifying groovy versions for several modules: nifi, nifi-groovyx-bundle, nifi-scripting-bundle, nifi-toolkit Established dependency management for groovy-all:pom:2.5.4, and added that dependency to several modules: nifi-groovyx-nar, nifi-scripting-nar, nifi-toolkit-admin, nifi-toolkit-encrypt-config Added groovy version property usage to several modules that established a dependency on a groovy submodule that was not listed in its own or inherited dependency management Removed unused build-helper-maven-plugin from nifi-toolkit-api's POM Removed unnecessary groovy-eclipse-compiler build plugin config from nifi-web-utils' POM to use the inherited config for that plugin Updated several modules' NOTICEs to include appropriate Groovy NOTICE content Updated to list groovy-all:pom:2.5.4 and its transitive submodule dependencies to nifi-assembly, nifi-groovyx-nar, nifi-scripting-nar, and nifi-toolkit-assembly NOTICEs Added missing groovy-all:jar:2.1.6 NOTICE to nifi-hive-nar and nifi-hive_1_1-nar NOTICEs Added missing groovy-all:jar:2.4.11 NOTICE to nifi-hive3-nar NOTICE Updated to list groovy-all:jar:2.4.16 nifi-other-graph-services-nar NOTICE Removed Groovy NOTICE content from nifi-record-serialization-services-nar NOTICE, no Groovy modules are included in the NAR NIFI-5254 Updated several modules' NOTICEs and LICENSEs to include appropriate content from the LICENSEs and NOTICEs bundled with Groovy modules which in turn are bundled with NiFi binary artifacts: nifi-assembly, nifi-groovyx-nar, nifi-hive-nar, nifi-hive3-nar, nifi-hive_1_1-nar, nifi-other-graph-services-nar, nifi-scripting-nar, nifi-toolkit-assembly NIFI-5254 Updated NOTICEs and LICENSEs to include appropriate content from the LICENSEs and NOTICEs bundled with modules used by Groovy 2.5.4 which in turn are bundled with NiFi binary artifacts: nifi-assembly, nifi-groovyx-nar, nifi-scripting-nar, nifi-toolkit-assembly. The following modules' LICENSE and NOTICE content were added: Apache Ant, Apache Commons CLI, JLine, JUnit Platform/Jupiter This closes #3547 Signed-off-by: Mike Thomsen <mthomsen@apache.org>
2019-06-24 14:35:21 -04:00
<dependency>
<groupId>org.codehaus.groovy</groupId>
<artifactId>groovy-json</artifactId>
<version>${nifi.groovy.version}</version>
<scope>test</scope>
</dependency>
Initial code contribution
2014-12-08 15:22:14 -05:00
</dependencies>
</project>