NIFI-655:

- Ensuring the access token is not replicated when the user is already authenticated/authorized.

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java

@@ -58,6 +58,7 @@ import org.apache.nifi.web.api.request.ClientIdParameter;
 import org.apache.nifi.web.security.InvalidAuthenticationException;
 import org.apache.nifi.web.security.ProxiedEntitiesUtils;
 import org.apache.nifi.web.security.UntrustedProxyException;
+import org.apache.nifi.web.security.jwt.JwtAuthenticationFilter;
 import org.apache.nifi.web.security.jwt.JwtService;
 import org.apache.nifi.web.security.token.LoginAuthenticationToken;
 import org.apache.nifi.web.security.token.NiFiAuthenticationRequestToken;
@@ -85,8 +86,6 @@ public class AccessResource extends ApplicationResource {
 
     private static final Logger logger = LoggerFactory.getLogger(AccessResource.class);
 
-    private static final String AUTHORIZATION = "Authorization";
-
     private NiFiProperties properties;
 
     private LoginIdentityProvider loginIdentityProvider;
@@ -183,7 +182,7 @@ public class AccessResource extends ApplicationResource {
             // if there is not certificate, consider a token
             if (certificates == null) {
                 // look for an authorization token
-                final String authorization = httpServletRequest.getHeader(AUTHORIZATION);
+                final String authorization = httpServletRequest.getHeader(JwtAuthenticationFilter.AUTHORIZATION);
 
                 // if there is no authorization header, we don't know the user
                 if (authorization == null) {

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ApplicationResource.java

@@ -54,6 +54,7 @@ import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
 import org.apache.commons.lang3.builder.ToStringStyle;
 import org.apache.nifi.user.NiFiUser;
+import org.apache.nifi.web.security.jwt.JwtAuthenticationFilter;
 import org.apache.nifi.web.security.user.NiFiUserUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -367,7 +368,11 @@ public abstract class ApplicationResource {
             // add the certificate DN to the proxy chain
             final NiFiUser user = NiFiUserUtils.getNiFiUser();
             if (user != null) {
+                // add the proxied user details
                 result.put(PROXIED_ENTITIES_CHAIN_HTTP_HEADER, ProxiedEntitiesUtils.buildProxiedEntitiesChainString(user));
+
+                // remove the access token if present, since the user is already authenticated/authorized
+                result.remove(JwtAuthenticationFilter.AUTHORIZATION);
             }
 
             // add the user's authorities (if any) to the headers

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java

@@ -36,7 +36,7 @@ public class JwtAuthenticationFilter extends NiFiAuthenticationFilter {
 
     private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class);
 
-    private static final String AUTHORIZATION = "Authorization";
+    public static final String AUTHORIZATION = "Authorization";
 
     private JwtService jwtService;