Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-13558 Configured Web Security to ignore unauthenticated requests (#9090) 

This closes #9090
This commit is contained in:
David Handermann 2024-07-18 12:26:26 -05:00 committed by GitHub
parent 16c9ea4f7c
commit e35cbbba81
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 22 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/WebSecurityConfiguration.java
View File

@ -55,8 +55,13 @@ import org.springframework.security.web.authentication.AnonymousAuthenticationFi
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CsrfFilter; import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.util.matcher.AndRequestMatcher; import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatchers;
import java.util.List; import java.util.List;
import java.util.stream.Collectors;
/** /**
* Application Security Configuration using Spring Security * Application Security Configuration using Spring Security
@ -68,6 +73,18 @@ import java.util.List;
@EnableWebSecurity @EnableWebSecurity
@EnableMethodSecurity @EnableMethodSecurity
public class WebSecurityConfiguration { public class WebSecurityConfiguration {
private static final List<String> UNFILTERED_PATHS = List.of(
"/access",
"/access/config",
"/access/token",
"/access/logout/complete",
"/authentication/configuration"
);
private static final RequestMatcher UNFILTERED_PATHS_REQUEST_MATCHER = new OrRequestMatcher(
UNFILTERED_PATHS.stream().map(AntPathRequestMatcher::new).collect(Collectors.toList())
);
/** /**
* Spring Security Authentication Manager configured using Authentication Providers from specific configuration classes * Spring Security Authentication Manager configured using Authentication Providers from specific configuration classes
* *
@ -108,14 +125,12 @@ public class WebSecurityConfiguration {
.securityContext(AbstractHttpConfigurer::disable) .securityContext(AbstractHttpConfigurer::disable)
.sessionManagement(AbstractHttpConfigurer::disable) .sessionManagement(AbstractHttpConfigurer::disable)
.headers(AbstractHttpConfigurer::disable) .headers(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(authorize -> authorize .securityMatchers(securityMatchers -> securityMatchers
.requestMatchers( .requestMatchers(
"/access", RequestMatchers.not(UNFILTERED_PATHS_REQUEST_MATCHER)
"/access/config", )
"/access/token", )
"/access/logout/complete", .authorizeHttpRequests(authorize -> authorize
"/authentication/configuration"
).permitAll()
.anyRequest().authenticated() .anyRequest().authenticated()
) )
.addFilterBefore(new SkipReplicatedCsrfFilter(), CsrfFilter.class) .addFilterBefore(new SkipReplicatedCsrfFilter(), CsrfFilter.class)