You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/09/23 22:08:00 UTC

[jira] [Commented] (NIFI-9060) HTTP Cookie Paths ignore Proxy Context Path Headers

    [ https://issues.apache.org/jira/browse/NIFI-9060?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17419480#comment-17419480 ] 

ASF subversion and git services commented on NIFI-9060:
-------------------------------------------------------

Commit 84dbf915a9b55100ad631305fa5f1b86e578a0b8 in nifi's branch refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=84dbf91 ]

NIFI-9060 Refactored HTTP Cookie Path Handling

- Implemented ApplicationCookieService for adding and retrieving HTTP Cookies
- Added getCookieResourceUri() leveraging allowed proxy headers to support optional Cookie Paths
- Refactored Access Resources to use ApplicationCookieService for processing
- Changed __Host- prefix to __Secure- prefix for Bearer Token cookie to support Cookie Path processing
- Removed unnecessary jetty-http dependency from nifi-web-api
- Corrected NiFi path references in JavaScript to support prefixed paths

Signed-off-by: Nathan Gough <th...@gmail.com>

This closes #5329.


> HTTP Cookie Paths ignore Proxy Context Path Headers
> ---------------------------------------------------
>
>                 Key: NIFI-9060
>                 URL: https://issues.apache.org/jira/browse/NIFI-9060
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework, Security
>    Affects Versions: 1.14.0, 1.15.0
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Minor
>              Labels: security
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> HTTP cookies that NiFi uses for authentication have hard-coded paths set to forward-slash.  This is acceptable for deployments where clients have direct access to NiFi, or when a reverse proxy does not rewrite the context path. In deployments where a reverse proxy performs URL rewriting, NiFi should set cookie path based on proxy HTTP headers. NiFi WebUtils includes methods to determine the context path based on supported proxy headers, which should be used to set the paths for HTTP cookies.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)