Apache/nifi
1
0
Fork 0
mirror of https://github.com/apache/nifi.git synced 2025-02-06 01:58:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

NIFI-9796 This closes #5866. Updated Registry Security Configuration to avoid warnings

Browse Source 
- Replaced WebSecurity.ignoring().antMatchers() with HttpSecurity.authorizeRequests().antMatchers()

Signed-off-by: Joe Witt <joewitt@apache.org>
This commit is contained in:
exceptionfactory 2022-03-14 14:18:12 -05:00 committed by Joe Witt
parent 21922af90c
commit 36b3f18424
No known key found for this signature in database
GPG Key ID: 9093BF854F811A1A
1 changed files with 12 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/NiFiRegistrySecurityConfig.java
View File

@ -36,7 +36,6 @@ import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.config.http.SessionCreationPolicy;
@ -45,7 +44,6 @@ import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter; import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import java.io.IOException; import java.io.IOException;
@ -69,7 +67,7 @@ public class NiFiRegistrySecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired @Autowired
private Authorizer authorizer; private Authorizer authorizer;
private AnonymousIdentityFilter anonymousAuthenticationFilter = new AnonymousIdentityFilter(); private final AnonymousIdentityFilter anonymousAuthenticationFilter = new AnonymousIdentityFilter();
@Autowired @Autowired
private X509IdentityProvider x509IdentityProvider; private X509IdentityProvider x509IdentityProvider;
@ -87,18 +85,19 @@ public class NiFiRegistrySecurityConfig extends WebSecurityConfigurerAdapter {
super(true); // disable defaults super(true); // disable defaults
} }
@Override
public void configure(WebSecurity webSecurity) throws Exception {
// allow any client to access the endpoint for logging in to generate an access token
webSecurity.ignoring().antMatchers( "/access/token", "/access/token/kerberos",
"/access/oidc/exchange", "/access/oidc/callback", "/access/oidc/request", "/access/token/identity-provider" );
}
@Override @Override
protected void configure(HttpSecurity http) throws Exception { protected void configure(HttpSecurity http) throws Exception {
http http
.rememberMe().disable() .rememberMe().disable()
.authorizeRequests() .authorizeRequests()
.antMatchers(
"/access/token",
"/access/token/identity-provider",
"/access/token/kerberos",
"/access/oidc/callback",
"/access/oidc/exchange",
"/access/oidc/request"
).permitAll()
.anyRequest().fullyAuthenticated() .anyRequest().fullyAuthenticated()
.and() .and()
.exceptionHandling() .exceptionHandling()
@ -150,7 +149,7 @@ public class NiFiRegistrySecurityConfig extends WebSecurityConfigurerAdapter {
return super.authenticationManagerBean(); return super.authenticationManagerBean();
} }
private IdentityFilter x509AuthenticationFilter() throws Exception { private IdentityFilter x509AuthenticationFilter() {
if (x509AuthenticationFilter == null) { if (x509AuthenticationFilter == null) {
x509AuthenticationFilter = new IdentityFilter(x509IdentityProvider); x509AuthenticationFilter = new IdentityFilter(x509IdentityProvider);
} }
@ -164,7 +163,7 @@ public class NiFiRegistrySecurityConfig extends WebSecurityConfigurerAdapter {
return x509AuthenticationProvider; return x509AuthenticationProvider;
} }
private IdentityFilter jwtAuthenticationFilter() throws Exception { private IdentityFilter jwtAuthenticationFilter() {
if (jwtAuthenticationFilter == null) { if (jwtAuthenticationFilter == null) {
jwtAuthenticationFilter = new IdentityFilter(jwtIdentityProvider); jwtAuthenticationFilter = new IdentityFilter(jwtIdentityProvider);
} }
@ -198,7 +197,7 @@ public class NiFiRegistrySecurityConfig extends WebSecurityConfigurerAdapter {
public void commence(HttpServletRequest request, public void commence(HttpServletRequest request,
HttpServletResponse response, HttpServletResponse response,
AuthenticationException authenticationException) AuthenticationException authenticationException)
throws IOException, ServletException { throws IOException {
// return a 401 response // return a 401 response
final int status = HttpServletResponse.SC_UNAUTHORIZED; final int status = HttpServletResponse.SC_UNAUTHORIZED;