From e35cbbba81522e2217ad2c9491ba4e5e29b3bcf1 Mon Sep 17 00:00:00 2001
From: David Handermann <exceptionfactory@apache.org>
Date: Thu, 18 Jul 2024 12:26:26 -0500
Subject: [PATCH] NIFI-13558 Configured Web Security to ignore unauthenticated
 requests (#9090)

This closes #9090
---
 .../WebSecurityConfiguration.java             | 29 ++++++++++++++-----
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/WebSecurityConfiguration.java b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/WebSecurityConfiguration.java
index 6f5dec1f00..9c6b28d4c4 100644
--- a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/WebSecurityConfiguration.java
+++ b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/WebSecurityConfiguration.java
@@ -55,8 +55,13 @@ import org.springframework.security.web.authentication.AnonymousAuthenticationFi
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.util.matcher.AndRequestMatcher;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatchers;
 
 import java.util.List;
+import java.util.stream.Collectors;
 
 /**
  * Application Security Configuration using Spring Security
@@ -68,6 +73,18 @@ import java.util.List;
 @EnableWebSecurity
 @EnableMethodSecurity
 public class WebSecurityConfiguration {
+    private static final List<String> UNFILTERED_PATHS = List.of(
+            "/access",
+            "/access/config",
+            "/access/token",
+            "/access/logout/complete",
+            "/authentication/configuration"
+    );
+
+    private static final RequestMatcher UNFILTERED_PATHS_REQUEST_MATCHER = new OrRequestMatcher(
+            UNFILTERED_PATHS.stream().map(AntPathRequestMatcher::new).collect(Collectors.toList())
+    );
+
     /**
      * Spring Security Authentication Manager configured using Authentication Providers from specific configuration classes
      *
@@ -108,14 +125,12 @@ public class WebSecurityConfiguration {
                 .securityContext(AbstractHttpConfigurer::disable)
                 .sessionManagement(AbstractHttpConfigurer::disable)
                 .headers(AbstractHttpConfigurer::disable)
-                .authorizeHttpRequests(authorize -> authorize
+                .securityMatchers(securityMatchers -> securityMatchers
                         .requestMatchers(
-                                "/access",
-                                "/access/config",
-                                "/access/token",
-                                "/access/logout/complete",
-                                "/authentication/configuration"
-                        ).permitAll()
+                                RequestMatchers.not(UNFILTERED_PATHS_REQUEST_MATCHER)
+                        )
+                )
+                .authorizeHttpRequests(authorize -> authorize
                         .anyRequest().authenticated()
                 )
                 .addFilterBefore(new SkipReplicatedCsrfFilter(), CsrfFilter.class)