You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2022/07/11 20:52:07 UTC

[GitHub] [nifi] exceptionfactory opened a new pull request, #6196: NIFI-10217 Refactor Registry Spring Security Configuration

exceptionfactory opened a new pull request, #6196:
URL: https://github.com/apache/nifi/pull/6196

   # Summary
   
   [NIFI-10217](https://issues.apache.org/jira/browse/NIFI-10217) Refactors the NiFi Registry Spring Security Configuration, removing extension of the deprecated `WebSecurityConfigurerAdapter` class.
   
   The updated configuration creates a `SecurityFilterChain` bean using the `HttpSecurity` builder and creates an `AuthenticationManager` using the existing Authentication Providers in the current configuration.
   
   # Tracking
   
   Please complete the following tracking steps prior to pull request creation.
   
   ### Issue Tracking
   
   - [X] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created
   
   ### Pull Request Tracking
   
   - [X] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-00000`
   - [X] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-00000`
   
   ### Pull Request Formatting
   
   - [X] Pull Request based on current revision of the `main` branch
   - [X] Pull Request refers to a feature branch with one commit containing changes
   
   # Verification
   
   Please indicate the verification steps performed prior to pull request creation.
   
   ### Build
   
   - [X] Build completed using `mvn clean install -P contrib-check`
     - [X] JDK 8
     - [ ] JDK 11
     - [ ] JDK 17
   
   ### Licensing
   
   - [ ] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html)
   - [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE` files
   
   ### Documentation
   
   - [ ] Documentation formatting appears as expected in rendered files
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on pull request #6196: NIFI-10217 Refactor Registry Spring Security Configuration

Posted by GitBox <gi...@apache.org>.

exceptionfactory commented on PR #6196:
URL: https://github.com/apache/nifi/pull/6196#issuecomment-1205807981

   Thanks for the feedback @thenatog!
   
   The problem was the result of the CSRF checking not being disabled, as it is in the current configuration. I corrected the configuration and rebased, so this is ready for another review.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] thenatog commented on pull request #6196: NIFI-10217 Refactor Registry Spring Security Configuration

Posted by GitBox <gi...@apache.org>.

thenatog commented on PR #6196:
URL: https://github.com/apache/nifi/pull/6196#issuecomment-1208557740

   Yeah tested now and it's working. +1 will merge, thanks!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] thenatog commented on pull request #6196: NIFI-10217 Refactor Registry Spring Security Configuration

Posted by GitBox <gi...@apache.org>.

thenatog commented on PR #6196:
URL: https://github.com/apache/nifi/pull/6196#issuecomment-1187751743

   I ran into an issue with this one trying to use LDAP to log in. When I hit the log in button, enter my LDAP creds it, the URL 'https://myhostname.com:18080/nifi-registry-api/access/token/login' returns a 404. The log shows: 2022-07-18 12:49:16,560 INFO [NiFi Registry Web Server-16] o.a.n.r.w.mapper.NotFoundExceptionMapper javax.ws.rs.NotFoundException: HTTP 404 Not Found. Returning Not Found response.
   
   I compared this with main branch and found that I was able to log in using the same LDAP configuration.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] exceptionfactory commented on a diff in pull request #6196: NIFI-10217 Refactor Registry Spring Security Configuration

Posted by GitBox <gi...@apache.org>.

exceptionfactory commented on code in PR #6196:
URL: https://github.com/apache/nifi/pull/6196#discussion_r920610907


##########
nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/NiFiRegistrySecurityConfig.java:
##########
@@ -101,26 +99,17 @@ protected void configure(HttpSecurity http) throws Exception {
                     .anyRequest().fullyAuthenticated()
                     .and()
                 .exceptionHandling()
-                    .authenticationEntryPoint(http401AuthenticationEntryPoint())
-                    .and()
-                .sessionManagement()
-                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+                    .authenticationEntryPoint(http401AuthenticationEntryPoint());

Review Comment:
   Thanks for the note @thenatog. The HTTP Request Logging on NiFi provides HTTP status code details for each URL requested, and Spring Security debug logging could be enabled for additional troubleshooting. With that background, however, it would be worthwhile to consider some of kind of error message string in certain cases. The Authentication Entry Point on NiFi has a few more scenarios to handle, but it sounds worth considering in a follow-on issue.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] thenatog commented on a diff in pull request #6196: NIFI-10217 Refactor Registry Spring Security Configuration

Posted by GitBox <gi...@apache.org>.

thenatog commented on code in PR #6196:
URL: https://github.com/apache/nifi/pull/6196#discussion_r920583934


##########
nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/NiFiRegistrySecurityConfig.java:
##########
@@ -101,26 +99,17 @@ protected void configure(HttpSecurity http) throws Exception {
                     .anyRequest().fullyAuthenticated()
                     .and()
                 .exceptionHandling()
-                    .authenticationEntryPoint(http401AuthenticationEntryPoint())
-                    .and()
-                .sessionManagement()
-                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+                    .authenticationEntryPoint(http401AuthenticationEntryPoint());

Review Comment:
   This actually looks a little more complex than the authentication entry point I just merged in NiFi. Should the NiFi one contain some of these extra tasks such as logging and setting return content types?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nifi] thenatog closed pull request #6196: NIFI-10217 Refactor Registry Spring Security Configuration

Posted by GitBox <gi...@apache.org>.

thenatog closed pull request #6196: NIFI-10217 Refactor Registry Spring Security Configuration
URL: https://github.com/apache/nifi/pull/6196


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@nifi.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org