NIFI-2555:

- Addressing potential NullPointerException when an AccessDeniedException is thrown from an endpoint that isn't subject to the security filter chain. This closes #846. Signed-off-by: Andy LoPresto <alopresto@apache.org>
2016-08-12 08:48:10 -04:00 · 2016-08-12 08:48:10 -04:00 · 0855cb9bd4
parent 6799bd4919
commit 0855cb9bd4
2 changed files with 12 additions and 4 deletions
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
@ -333,7 +333,6 @@ public class AccessResource extends ApplicationResource {
                    @ApiResponse(code = 401, message = "NiFi was unable to complete the request because it did not contain a valid Kerberos " +
                            "ticket in the Authorization header. Retry this request after initializing a ticket with kinit and " +
                            "ensuring your browser is configured to support SPNEGO."),
-                    @ApiResponse(code = 403, message = "Client is not authorized to make this request."),
                    @ApiResponse(code = 409, message = "Unable to create access token because NiFi is not in the appropriate state. (i.e. may not be configured to support Kerberos login."),
                    @ApiResponse(code = 500, message = "Unable to create access token because an unexpected error occurred.")
            }
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/config/AccessDeniedExceptionMapper.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/config/AccessDeniedExceptionMapper.java
@ -41,15 +41,24 @@ public class AccessDeniedExceptionMapper implements ExceptionMapper<AccessDenied
        // get the current user
        NiFiUser user = NiFiUserUtils.getNiFiUser();

-        // if the user was authenticated - forbidden, otherwise unauthorized
+        // if the user was authenticated - forbidden, otherwise unauthorized... the user may be null if the
+        // AccessDeniedException was thrown from a /access endpoint that isn't subject to the security
+        // filter chain. for instance, one that performs kerberos negotiation
        final Response.Status status;
-        if (user.isAnonymous()) {
+        if (user == null || user.isAnonymous()) {
            status = Status.UNAUTHORIZED;
        } else {
            status = Status.FORBIDDEN;
        }

-        logger.info(String.format("%s does not have permission to access the requested resource. Returning %s response.", user.getIdentity(), status));
+        final String identity;
+        if (user == null) {
+            identity = "<no user found>";
+        } else {
+            identity = user.getIdentity();
+        }
+
+        logger.info(String.format("%s does not have permission to access the requested resource. Returning %s response.", identity, status));

        if (logger.isDebugEnabled()) {
            logger.debug(StringUtils.EMPTY, exception);