mirror of https://github.com/apache/nifi.git
NIFI-655:
- Ensuring anonymous user label and login links are rendered when appropriate. - Ensuring responses are accurate when making requests with a token when user log in is not supported.
This commit is contained in:
Matt Gilman
parent
c1cc165edb
commit
64beeef593
|
|
@ -93,10 +93,8 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte
|
|||
// x509
|
||||
http.addFilterAfter(x509FilterBean(), AnonymousAuthenticationFilter.class);
|
||||
|
||||
// jwt - consider when configured for log in
|
||||
if (loginIdentityProvider != null) {
|
||||
http.addFilterAfter(jwtFilterBean(), AnonymousAuthenticationFilter.class);
|
||||
}
|
||||
// jwt
|
||||
http.addFilterAfter(jwtFilterBean(), AnonymousAuthenticationFilter.class);
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
|
@ -124,12 +122,15 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte
|
|||
|
||||
@Bean
|
||||
public JwtAuthenticationFilter jwtFilterBean() throws Exception {
|
||||
// only consider the jwt authentication filter when configured for login
|
||||
if (jwtAuthenticationFilter == null && loginIdentityProvider != null) {
|
||||
if (jwtAuthenticationFilter == null) {
|
||||
jwtAuthenticationFilter = new JwtAuthenticationFilter();
|
||||
jwtAuthenticationFilter.setProperties(properties);
|
||||
jwtAuthenticationFilter.setJwtService(jwtService);
|
||||
jwtAuthenticationFilter.setAuthenticationManager(authenticationManager());
|
||||
|
||||
// only consider the tokens when configured for login
|
||||
if (loginIdentityProvider != null) {
|
||||
jwtAuthenticationFilter.setJwtService(jwtService);
|
||||
}
|
||||
}
|
||||
return jwtAuthenticationFilter;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -190,6 +190,11 @@ public class AccessResource extends ApplicationResource {
|
|||
accessStatus.setStatus(AccessStatusDTO.Status.UNKNOWN.name());
|
||||
accessStatus.setMessage("No credentials supplied, unknown user.");
|
||||
} else {
|
||||
// not currently configured for username/password login, don't accept existing tokens
|
||||
if (loginIdentityProvider == null) {
|
||||
throw new IllegalStateException("This NiFi is not configured to support username/password logins.");
|
||||
}
|
||||
|
||||
try {
|
||||
// Extract the Base64 encoded token from the Authorization header
|
||||
final String token = StringUtils.substringAfterLast(authorization, " ");
|
||||
|
|
|
|||
|
|
@ -56,6 +56,10 @@ public class JwtAuthenticationFilter extends NiFiAuthenticationFilter {
|
|||
if (authorization == null) {
|
||||
return null;
|
||||
} else {
|
||||
if (jwtService == null) {
|
||||
throw new InvalidAuthenticationException("NiFi is not configured to support username/password logins.");
|
||||
}
|
||||
|
||||
// Extract the Base64 encoded token from the Authorization header
|
||||
final String token = StringUtils.substringAfterLast(authorization, " ");
|
||||
|
||||
|
|
|
|||
|
|
@ -521,6 +521,7 @@ div.search-glass-pane {
|
|||
font-weight: bold;
|
||||
max-width: 250px;
|
||||
text-overflow: ellipsis;
|
||||
line-height: normal;
|
||||
overflow: hidden;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -141,28 +141,27 @@ nf.CanvasHeader = (function () {
|
|||
nf.Shell.showPage(config.urls.helpDocument);
|
||||
});
|
||||
|
||||
// show the login link if supported and user is currently anonymous
|
||||
var isAnonymous = $('#current-user').text() === nf.Common.ANONYMOUS_USER_TEXT;
|
||||
if (supportsLogin === true && isAnonymous) {
|
||||
// login link
|
||||
$('#login-link').click(function () {
|
||||
nf.Shell.showPage('login', false);
|
||||
});
|
||||
} else {
|
||||
$('#login-link-container').css('display', 'none');
|
||||
}
|
||||
|
||||
// if login is not supported, don't show the current user
|
||||
if (supportsLogin === false) {
|
||||
$('#current-user-container').css('display', 'none');
|
||||
}
|
||||
|
||||
// login link
|
||||
$('#login-link').click(function () {
|
||||
nf.Shell.showPage('login', false);
|
||||
});
|
||||
|
||||
// logout link
|
||||
$('#logout-link').click(function () {
|
||||
nf.Storage.removeItem("jwt");
|
||||
window.location = '/nifi';
|
||||
});
|
||||
|
||||
// if the user is not anonymous or accessing via http
|
||||
if ($('#current-user').text() !== nf.Common.ANONYMOUS_USER_TEXT || location.protocol === 'http:') {
|
||||
$('#login-link-container').css('display', 'none');
|
||||
}
|
||||
|
||||
// if accessing via http, don't show the current user
|
||||
if (location.protocol === 'http:') {
|
||||
$('#current-user-container').css('display', 'none');
|
||||
}
|
||||
|
||||
// initialize the new template dialog
|
||||
$('#new-template-dialog').modal({
|
||||
headerText: 'Create Template',
|
||||
|
|
|
|||
|
|
@ -285,7 +285,7 @@ nf.Login = (function () {
|
|||
// if login is required, verify its supported
|
||||
if (accessConfig.supportsLogin === false && needsLogin === true) {
|
||||
$('#login-message-title').text('Access Denied');
|
||||
$('#login-message').text('This NiFi is not configured to support login.');
|
||||
$('#login-message').text('This NiFi is not configured to support username/password logins.');
|
||||
showMessage = true;
|
||||
needsLogin = false;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue