NIFI-655:

- Fixing issue with filter bean initialization when clustered.
2015-11-27 10:05:58 -05:00 · 2015-11-27 10:05:58 -05:00 · c1cc165edb
parent 6bce858e4a
commit c1cc165edb
2 changed files with 47 additions and 35 deletions
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
@ -58,6 +58,11 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte
    private X509IdentityProvider certificateIdentityProvider;
    private LoginIdentityProvider loginIdentityProvider;

+    private NodeAuthorizedUserFilter nodeAuthorizedUserFilter;
+    private JwtAuthenticationFilter jwtAuthenticationFilter;
+    private X509AuthenticationFilter x509AuthenticationFilter;
+    private NiFiAnonymousUserFilter anonymousAuthenticationFilter;
+
    public NiFiWebApiSecurityConfiguration() {
        super(true); // disable defaults
    }
@ -80,17 +85,17 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        // cluster authorized user
-        http.addFilterBefore(buildNodeAuthorizedUserFilter(), AnonymousAuthenticationFilter.class);
+        http.addFilterBefore(nodeAuthorizedUserFilterBean(), AnonymousAuthenticationFilter.class);

        // anonymous
-        http.anonymous().authenticationFilter(buildAnonymousFilter());
+        http.anonymous().authenticationFilter(anonymousFilterBean());

        // x509
-        http.addFilterAfter(buildX509Filter(), AnonymousAuthenticationFilter.class);
+        http.addFilterAfter(x509FilterBean(), AnonymousAuthenticationFilter.class);

        // jwt - consider when configured for log in
        if (loginIdentityProvider != null) {
-            http.addFilterAfter(buildJwtFilter(), AnonymousAuthenticationFilter.class);
+            http.addFilterAfter(jwtFilterBean(), AnonymousAuthenticationFilter.class);
        }
    }

@ -106,35 +111,48 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte
        auth.authenticationProvider(new NiFiAuthenticationProvider(userDetailsService));
    }

-    private NodeAuthorizedUserFilter buildNodeAuthorizedUserFilter() {
-        final NodeAuthorizedUserFilter nodeFilter = new NodeAuthorizedUserFilter();
-        nodeFilter.setProperties(properties);
-        nodeFilter.setCertificateExtractor(certificateExtractor);
-        nodeFilter.setCertificateIdentityProvider(certificateIdentityProvider);
-        return nodeFilter;
+    @Bean
+    public NodeAuthorizedUserFilter nodeAuthorizedUserFilterBean() throws Exception {
+        if (nodeAuthorizedUserFilter == null) {
+            nodeAuthorizedUserFilter = new NodeAuthorizedUserFilter();
+            nodeAuthorizedUserFilter.setProperties(properties);
+            nodeAuthorizedUserFilter.setCertificateExtractor(certificateExtractor);
+            nodeAuthorizedUserFilter.setCertificateIdentityProvider(certificateIdentityProvider);
+        }
+        return nodeAuthorizedUserFilter;
    }

-    private JwtAuthenticationFilter buildJwtFilter() throws Exception {
-        final JwtAuthenticationFilter jwtFilter = new JwtAuthenticationFilter();
-        jwtFilter.setProperties(properties);
-        jwtFilter.setJwtService(jwtService);
-        jwtFilter.setAuthenticationManager(authenticationManager());
-        return jwtFilter;
+    @Bean
+    public JwtAuthenticationFilter jwtFilterBean() throws Exception {
+        // only consider the jwt authentication filter when configured for login
+        if (jwtAuthenticationFilter == null && loginIdentityProvider != null) {
+            jwtAuthenticationFilter = new JwtAuthenticationFilter();
+            jwtAuthenticationFilter.setProperties(properties);
+            jwtAuthenticationFilter.setJwtService(jwtService);
+            jwtAuthenticationFilter.setAuthenticationManager(authenticationManager());
+        }
+        return jwtAuthenticationFilter;
    }

-    private X509AuthenticationFilter buildX509Filter() throws Exception {
-        final X509AuthenticationFilter x509Filter = new X509AuthenticationFilter();
-        x509Filter.setProperties(properties);
-        x509Filter.setCertificateExtractor(certificateExtractor);
-        x509Filter.setCertificateIdentityProvider(certificateIdentityProvider);
-        x509Filter.setAuthenticationManager(authenticationManager());
-        return x509Filter;
+    @Bean
+    public X509AuthenticationFilter x509FilterBean() throws Exception {
+        if (x509AuthenticationFilter == null) {
+            x509AuthenticationFilter = new X509AuthenticationFilter();
+            x509AuthenticationFilter.setProperties(properties);
+            x509AuthenticationFilter.setCertificateExtractor(certificateExtractor);
+            x509AuthenticationFilter.setCertificateIdentityProvider(certificateIdentityProvider);
+            x509AuthenticationFilter.setAuthenticationManager(authenticationManager());
+        }
+        return x509AuthenticationFilter;
    }

-    private AnonymousAuthenticationFilter buildAnonymousFilter() {
-        final NiFiAnonymousUserFilter anonymousFilter = new NiFiAnonymousUserFilter();
-        anonymousFilter.setUserService(userService);
-        return anonymousFilter;
+    @Bean
+    public NiFiAnonymousUserFilter anonymousFilterBean() throws Exception {
+        if (anonymousAuthenticationFilter == null) {
+            anonymousAuthenticationFilter = new NiFiAnonymousUserFilter();
+            anonymousAuthenticationFilter.setUserService(userService);
+        }
+        return anonymousAuthenticationFilter;
    }

    @Autowired
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java
@ -18,9 +18,7 @@ package org.apache.nifi.web.security;

 import java.io.IOException;
 import java.io.PrintWriter;
-import javax.servlet.Filter;
 import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
@ -40,22 +38,18 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.web.filter.GenericFilterBean;

 /**
 *
 */
-public abstract class NiFiAuthenticationFilter implements Filter {
+public abstract class NiFiAuthenticationFilter extends GenericFilterBean {

    private static final Logger logger = LoggerFactory.getLogger(NiFiAuthenticationFilter.class);

    private AuthenticationManager authenticationManager;
    private NiFiProperties properties;

-    @Override
-    public void init(final FilterConfig filterConfig) throws ServletException {
-        throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
-    }
-
    @Override
    public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException {
        if (logger.isDebugEnabled()) {