You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by mc...@apache.org on 2016/04/07 22:23:30 UTC
[2/9] nifi git commit: Revert "NIFI-1551:"
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizationProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizationProvider.java
new file mode 100644
index 0000000..aa8a518
--- /dev/null
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizationProvider.java
@@ -0,0 +1,180 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.integration.util;
+
+import java.util.EnumSet;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import org.apache.nifi.authorization.Authority;
+import org.apache.nifi.authorization.AuthorityProvider;
+import org.apache.nifi.authorization.AuthorityProviderConfigurationContext;
+import org.apache.nifi.authorization.AuthorityProviderInitializationContext;
+import org.apache.nifi.authorization.exception.AuthorityAccessException;
+import org.apache.nifi.authorization.exception.ProviderCreationException;
+import org.apache.nifi.authorization.exception.UnknownIdentityException;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.authorization.DownloadAuthorization;
+
+/**
+ *
+ */
+public class NiFiTestAuthorizationProvider implements AuthorityProvider {
+
+ private final Map<String, Set<Authority>> users;
+
+ /**
+ * Creates a new FileAuthorizationProvider.
+ */
+ public NiFiTestAuthorizationProvider() {
+ users = new HashMap<>();
+ users.put("CN=localhost, OU=Apache NiFi, O=Apache, L=Santa Monica, ST=CA, C=US", EnumSet.of(Authority.ROLE_PROXY));
+ users.put("CN=Lastname Firstname Middlename monitor, OU=Unknown, OU=Unknown, OU=Unknown, O=Unknown, C=Unknown", EnumSet.of(Authority.ROLE_MONITOR));
+ users.put("CN=Lastname Firstname Middlename dfm, OU=Unknown, OU=Unknown, OU=Unknown, O=Unknown, C=Unknown", EnumSet.of(Authority.ROLE_DFM));
+ users.put("CN=Lastname Firstname Middlename admin, OU=Unknown, OU=Unknown, OU=Unknown, O=Unknown, C=Unknown", EnumSet.of(Authority.ROLE_ADMIN));
+ users.put("user@nifi", EnumSet.of(Authority.ROLE_DFM));
+ }
+
+ @Override
+ public void initialize(AuthorityProviderInitializationContext initializationContext) throws ProviderCreationException {
+ }
+
+ @Override
+ public void onConfigured(AuthorityProviderConfigurationContext configurationContext) throws ProviderCreationException {
+ }
+
+ @Override
+ public void preDestruction() {
+ }
+
+ private void checkDn(String dn) throws UnknownIdentityException {
+ if (!users.containsKey(dn)) {
+ throw new UnknownIdentityException("Unknown user: " + dn);
+ }
+ }
+
+ /**
+ * Determines if the specified dn is known to this authority provider.
+ *
+ * @param dn dn
+ * @return True if he dn is known, false otherwise
+ */
+ @Override
+ public boolean doesDnExist(String dn) throws AuthorityAccessException {
+ try {
+ checkDn(dn);
+ return true;
+ } catch (UnknownIdentityException uie) {
+ return false;
+ }
+ }
+
+ /**
+ * Loads the authorities for the specified user.
+ *
+ * @param dn dn
+ * @return authorities
+ * @throws UnknownIdentityException ex
+ * @throws AuthorityAccessException ex
+ */
+ @Override
+ public Set<Authority> getAuthorities(String dn) throws UnknownIdentityException, AuthorityAccessException {
+ checkDn(dn);
+ return new HashSet<>(users.get(dn));
+ }
+
+ /**
+ * Sets the specified authorities to the specified user.
+ *
+ * @param dn dn
+ * @param authorities authorities
+ * @throws AuthorityAccessException ex
+ */
+ @Override
+ public void setAuthorities(String dn, Set<Authority> authorities) throws UnknownIdentityException, AuthorityAccessException {
+ }
+
+ /**
+ * Adds the specified user.
+ *
+ * @param dn dn
+ * @param group group
+ * @throws UnknownIdentityException ex
+ * @throws AuthorityAccessException ex
+ */
+ @Override
+ public void addUser(String dn, String group) throws AuthorityAccessException {
+ }
+
+ /**
+ * Gets the users for the specified authority.
+ *
+ * @param authority authority
+ * @return users
+ * @throws AuthorityAccessException ex
+ */
+ @Override
+ public Set<String> getUsers(Authority authority) throws AuthorityAccessException {
+ Set<String> usersForAuthority = new HashSet<>();
+ for (String dn : users.keySet()) {
+ if (users.get(dn).contains(authority)) {
+ usersForAuthority.add(dn);
+ }
+ }
+ return usersForAuthority;
+ }
+
+ /**
+ * Removes the specified user.
+ *
+ * @param dn dn
+ * @throws UnknownIdentityException ex
+ * @throws AuthorityAccessException ex
+ */
+ @Override
+ public void revokeUser(String dn) throws UnknownIdentityException, AuthorityAccessException {
+ }
+
+ @Override
+ public String getGroupForUser(String dn) throws UnknownIdentityException, AuthorityAccessException {
+ return StringUtils.EMPTY;
+ }
+
+ @Override
+ public void revokeGroup(String group) throws UnknownIdentityException, AuthorityAccessException {
+ }
+
+ @Override
+ public void setUsersGroup(Set<String> dn, String group) throws UnknownIdentityException, AuthorityAccessException {
+ }
+
+ @Override
+ public void ungroupUser(String dn) throws UnknownIdentityException, AuthorityAccessException {
+ }
+
+ @Override
+ public void ungroup(String group) throws UnknownIdentityException, AuthorityAccessException {
+ }
+
+ @Override
+ public DownloadAuthorization authorizeDownload(List<String> dnChain, Map<String, String> attributes) throws UnknownIdentityException, AuthorityAccessException {
+ return DownloadAuthorization.approved();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizer.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizer.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizer.java
deleted file mode 100644
index 5795b69..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestAuthorizer.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.integration.util;
-
-import org.apache.nifi.authorization.AuthorizationRequest;
-import org.apache.nifi.authorization.AuthorizationResult;
-import org.apache.nifi.authorization.Authorizer;
-import org.apache.nifi.authorization.AuthorizerConfigurationContext;
-import org.apache.nifi.authorization.AuthorizerInitializationContext;
-import org.apache.nifi.authorization.exception.AuthorizationAccessException;
-import org.apache.nifi.authorization.exception.AuthorizerCreationException;
-
-/**
- *
- */
-public class NiFiTestAuthorizer implements Authorizer {
-
-
- /**
- * Creates a new FileAuthorizationProvider.
- */
- public NiFiTestAuthorizer() {
- }
-
- @Override
- public void initialize(AuthorizerInitializationContext initializationContext) throws AuthorizerCreationException {
- }
-
- @Override
- public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException {
- }
-
- @Override
- public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
- return AuthorizationResult.approved();
- }
-
- @Override
- public void preDestruction() {
- }
-
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java
index 967f652..c023ce1 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestLoginIdentityProvider.java
@@ -16,6 +16,10 @@
*/
package org.apache.nifi.integration.util;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
+import org.apache.nifi.authorization.exception.ProviderCreationException;
import org.apache.nifi.authentication.AuthenticationResponse;
import org.apache.nifi.authentication.LoginCredentials;
import org.apache.nifi.authentication.LoginIdentityProvider;
@@ -23,11 +27,6 @@ import org.apache.nifi.authentication.LoginIdentityProviderConfigurationContext;
import org.apache.nifi.authentication.LoginIdentityProviderInitializationContext;
import org.apache.nifi.authentication.exception.IdentityAccessException;
import org.apache.nifi.authentication.exception.InvalidLoginCredentialsException;
-import org.apache.nifi.authentication.exception.ProviderCreationException;
-
-import java.util.HashMap;
-import java.util.Map;
-import java.util.concurrent.TimeUnit;
/**
*
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.AuthorityProvider
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.AuthorityProvider b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.AuthorityProvider
new file mode 100644
index 0000000..dcdc53e
--- /dev/null
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.AuthorityProvider
@@ -0,0 +1,15 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+org.apache.nifi.integration.util.NiFiTestAuthorizationProvider
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.Authorizer
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.Authorizer b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.Authorizer
deleted file mode 100644
index e7d65f4..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/META-INF/services/org.apache.nifi.authorization.Authorizer
+++ /dev/null
@@ -1,15 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-org.apache.nifi.integration.util.NiFiTestAuthorizer
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/authority-providers.xml
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/authority-providers.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/authority-providers.xml
index a3fb088..418f717 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/authority-providers.xml
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/resources/access-control/authority-providers.xml
@@ -19,6 +19,6 @@
<authorityProviders>
<provider>
<identifier>test-provider</identifier>
- <class>org.apache.nifi.integration.util.NiFiTestAuthorizer</class>
+ <class>org.apache.nifi.integration.util.NiFiTestAuthorizationProvider</class>
</provider>
</authorityProviders>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java
index 7108edb..0520ac8 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java
@@ -25,15 +25,19 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.user.NiFiUser;
import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.token.NiFiAuthorizationRequestToken;
import org.apache.nifi.web.security.user.NiFiUserUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.AccountStatusException;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.web.filter.GenericFilterBean;
/**
@@ -61,41 +65,72 @@ public abstract class NiFiAuthenticationFilter extends GenericFilterBean {
}
private boolean requiresAuthentication(final HttpServletRequest request) {
- return NiFiUserUtils.getNiFiUser() == null;
+ // continue attempting authorization if the user is anonymous
+ if (isAnonymousUser()) {
+ return true;
+ }
+
+ // or there is no user yet
+ return NiFiUserUtils.getNiFiUser() == null && NiFiUserUtils.getNewAccountRequest() == null;
+ }
+
+ private boolean isAnonymousUser() {
+ final NiFiUser user = NiFiUserUtils.getNiFiUser();
+ return user != null && NiFiUser.ANONYMOUS_USER_IDENTITY.equals(user.getIdentity());
}
private void authenticate(final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain) throws IOException, ServletException {
String dnChain = null;
try {
- final Authentication authenticationRequest = attemptAuthentication(request);
- if (authenticationRequest != null) {
+ final NiFiAuthorizationRequestToken authenticated = attemptAuthentication(request);
+ if (authenticated != null) {
+ dnChain = ProxiedEntitiesUtils.formatProxyDn(StringUtils.join(authenticated.getChain(), "><"));
+
// log the request attempt - response details will be logged later
- log.info(String.format("Attempting request for (%s) %s %s (source ip: %s)", authenticationRequest.toString(), request.getMethod(),
+ log.info(String.format("Attempting request for (%s) %s %s (source ip: %s)", dnChain, request.getMethod(),
request.getRequestURL().toString(), request.getRemoteAddr()));
// attempt to authorize the user
- final Authentication authenticated = authenticationManager.authenticate(authenticationRequest);
- successfulAuthorization(request, response, authenticated);
+ final Authentication authorized = authenticationManager.authenticate(authenticated);
+ successfulAuthorization(request, response, authorized);
}
// continue
chain.doFilter(request, response);
- } catch (final AuthenticationException ae) {
+ } catch (final InvalidAuthenticationException iae) {
// invalid authentication - always error out
- unsuccessfulAuthorization(request, response, ae);
+ unsuccessfulAuthorization(request, response, iae);
+ } catch (final AuthenticationException ae) {
+ // other authentication exceptions... if we are already the anonymous user, allow through otherwise error out
+ if (isAnonymousUser()) {
+ if (dnChain == null) {
+ log.info(String.format("Continuing as anonymous user. Unable to authenticate %s: %s", dnChain, ae));
+ } else {
+ log.info(String.format("Continuing as anonymous user. Unable to authenticate: %s", ae));
+ }
+
+ chain.doFilter(request, response);
+ } else {
+ unsuccessfulAuthorization(request, response, ae);
+ }
}
}
/**
- * Attempt to extract an authentication attempt from the specified request.
+ * Attempt to authenticate the client making the request. If the request does not contain an authentication attempt, this method should return null. If the request contains an authentication
+ * request, the implementation should convert it to a NiFiAuthorizationRequestToken (which is used when authorizing the client). Implementations should throw InvalidAuthenticationException when
+ * the request contains an authentication request but it could not be authenticated.
*
* @param request The request
- * @return The authentication attempt or null if none is found int he request
+ * @return The NiFiAutorizationRequestToken used to later authorized the client
+ * @throws InvalidAuthenticationException If the request contained an authentication attempt, but could not authenticate
*/
- public abstract Authentication attemptAuthentication(HttpServletRequest request);
+ public abstract NiFiAuthorizationRequestToken attemptAuthentication(HttpServletRequest request);
protected void successfulAuthorization(HttpServletRequest request, HttpServletResponse response, Authentication authResult) {
- log.info("Authentication success for " + authResult);
+ if (log.isDebugEnabled()) {
+ log.debug("Authentication success: " + authResult);
+ }
SecurityContextHolder.getContext().setAuthentication(authResult);
ProxiedEntitiesUtils.successfulAuthorization(request, response, authResult);
@@ -112,9 +147,20 @@ public abstract class NiFiAuthenticationFilter extends GenericFilterBean {
PrintWriter out = response.getWriter();
// use the type of authentication exception to determine the response code
- if (ae instanceof InvalidAuthenticationException) {
+ if (ae instanceof UsernameNotFoundException) {
+ if (properties.getSupportNewAccountRequests()) {
+ response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ out.println("Not authorized.");
+ } else {
+ response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+ out.println("Access is denied.");
+ }
+ } else if (ae instanceof InvalidAuthenticationException) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
out.println(ae.getMessage());
+ } else if (ae instanceof AccountStatusException) {
+ response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+ out.println(ae.getMessage());
} else if (ae instanceof UntrustedProxyException) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
out.println(ae.getMessage());
@@ -137,6 +183,39 @@ public abstract class NiFiAuthenticationFilter extends GenericFilterBean {
}
}
+ /**
+ * Determines if the specified request is attempting to register a new user account.
+ *
+ * @param request http request
+ * @return true if new user
+ */
+ protected final boolean isNewAccountRequest(HttpServletRequest request) {
+ if ("POST".equalsIgnoreCase(request.getMethod())) {
+ String path = request.getPathInfo();
+ if (StringUtils.isNotBlank(path)) {
+ if ("/controller/users".equals(path)) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+
+ /**
+ * Extracts the justification from the specified request.
+ *
+ * @param request The request
+ * @return The justification
+ */
+ protected final String getJustification(HttpServletRequest request) {
+ // get the justification
+ String justification = request.getParameter("justification");
+ if (justification == null) {
+ justification = StringUtils.EMPTY;
+ }
+ return justification;
+ }
+
@Override
public void destroy() {
}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationProvider.java
new file mode 100644
index 0000000..e51a26e
--- /dev/null
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationProvider.java
@@ -0,0 +1,73 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security;
+
+import org.apache.nifi.web.security.token.NewAccountAuthorizationRequestToken;
+import org.apache.nifi.web.security.token.NewAccountAuthorizationToken;
+import org.apache.nifi.web.security.token.NiFiAuthorizationRequestToken;
+import org.apache.nifi.web.security.token.NiFiAuthorizationToken;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+
+/**
+ *
+ */
+public class NiFiAuthenticationProvider implements AuthenticationProvider {
+
+ private final AuthenticationUserDetailsService<NiFiAuthorizationRequestToken> userDetailsService;
+
+ public NiFiAuthenticationProvider(final AuthenticationUserDetailsService<NiFiAuthorizationRequestToken> userDetailsService) {
+ this.userDetailsService = userDetailsService;
+ }
+
+ @Override
+ public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+ final NiFiAuthorizationRequestToken request = (NiFiAuthorizationRequestToken) authentication;
+
+ try {
+ // defer to the nifi user details service to authorize the user
+ final UserDetails userDetails = userDetailsService.loadUserDetails(request);
+
+ // build a token for accesing nifi
+ final NiFiAuthorizationToken result = new NiFiAuthorizationToken(userDetails);
+ result.setDetails(request.getDetails());
+ return result;
+ } catch (final UsernameNotFoundException unfe) {
+ // if the authorization request is for a new account and it could not be authorized because the user was not found,
+ // return the token so the new account could be created. this must go here to ensure that any proxies have been authorized
+ if (isNewAccountAuthenticationToken(request)) {
+ return new NewAccountAuthorizationToken(((NewAccountAuthorizationRequestToken) authentication).getNewAccountRequest());
+ } else {
+ throw unfe;
+ }
+ }
+ }
+
+ private boolean isNewAccountAuthenticationToken(final Authentication authentication) {
+ return NewAccountAuthorizationRequestToken.class.isAssignableFrom(authentication.getClass());
+ }
+
+ @Override
+ public boolean supports(Class<?> authentication) {
+ return NiFiAuthorizationRequestToken.class.isAssignableFrom(authentication);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java
index 19ae0bb..05c5fb8 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousUserFilter.java
@@ -16,17 +16,20 @@
*/
package org.apache.nifi.web.security.anonymous;
+import java.util.EnumSet;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.admin.service.AdministrationException;
import org.apache.nifi.admin.service.UserService;
+import org.apache.nifi.authorization.Authority;
import org.apache.nifi.user.NiFiUser;
-import org.apache.nifi.web.security.token.NiFiAuthenticationToken;
import org.apache.nifi.web.security.user.NiFiUserDetails;
+import org.apache.nifi.web.security.token.NiFiAuthorizationToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
-import javax.servlet.http.HttpServletRequest;
-
/**
* Custom AnonymouseAuthenticationFilter used to grant additional authorities depending on the current operating mode.
*/
@@ -44,7 +47,35 @@ public class NiFiAnonymousUserFilter extends AnonymousAuthenticationFilter {
@Override
protected Authentication createAuthentication(HttpServletRequest request) {
- return new NiFiAuthenticationToken(new NiFiUserDetails(NiFiUser.ANONYMOUS));
+ Authentication authentication = null;
+
+ try {
+ // load the anonymous user from the database
+ NiFiUser user = userService.getUserByDn(NiFiUser.ANONYMOUS_USER_IDENTITY);
+
+ // if this is an unsecure request allow full access
+ if (!request.isSecure()) {
+ user.getAuthorities().addAll(EnumSet.allOf(Authority.class));
+ }
+
+ // only create an authentication token if the anonymous user has some authorities or they are accessing a ui
+ // extension. ui extensions have run this security filter but we shouldn't require authentication/authorization
+ // when accessing static resources like images, js, and css. authentication/authorization is required when
+ // interacting with nifi however and that will be verified in the NiFiWebContext or NiFiWebConfigurationContext
+ if (!user.getAuthorities().isEmpty() || !request.getContextPath().startsWith("/nifi-api")) {
+ NiFiUserDetails userDetails = new NiFiUserDetails(user);
+
+ // get the granted authorities
+ authentication = new NiFiAuthorizationToken(userDetails);
+ }
+ } catch (AdministrationException ase) {
+ // record the issue
+ anonymousUserFilterLogger.warn("Unable to load anonymous user from accounts database: " + ase.getMessage());
+ if (anonymousUserFilterLogger.isDebugEnabled()) {
+ anonymousUserFilterLogger.warn(StringUtils.EMPTY, ase);
+ }
+ }
+ return authentication;
}
/* setters */
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationService.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationService.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationService.java
new file mode 100644
index 0000000..dd87cfa
--- /dev/null
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationService.java
@@ -0,0 +1,171 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.authorization;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.ListIterator;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.admin.service.AccountDisabledException;
+import org.apache.nifi.admin.service.AccountNotFoundException;
+import org.apache.nifi.admin.service.AccountPendingException;
+import org.apache.nifi.admin.service.AdministrationException;
+import org.apache.nifi.admin.service.UserService;
+import org.apache.nifi.authorization.Authority;
+import org.apache.nifi.user.NiFiUser;
+import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.UntrustedProxyException;
+import org.apache.nifi.web.security.user.NiFiUserDetails;
+import org.apache.nifi.web.security.token.NiFiAuthorizationRequestToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.dao.DataAccessException;
+import org.springframework.security.authentication.AccountStatusException;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+
+/**
+ * UserDetailsService that will verify user identity and grant user authorities.
+ */
+public class NiFiAuthorizationService implements AuthenticationUserDetailsService<NiFiAuthorizationRequestToken> {
+
+ private static final Logger logger = LoggerFactory.getLogger(NiFiAuthorizationService.class);
+
+ private UserService userService;
+ private NiFiProperties properties;
+
+ /**
+ * Loads the user details for the specified dn.
+ *
+ * Synchronizing because we want each request to be authorized atomically since each may contain any number of DNs. We wanted an access decision made for each individual request as a whole
+ * (without other request potentially impacting it).
+ *
+ * @param request request
+ * @return user details
+ * @throws UsernameNotFoundException ex
+ * @throws org.springframework.dao.DataAccessException ex
+ */
+ @Override
+ public synchronized UserDetails loadUserDetails(NiFiAuthorizationRequestToken request) throws UsernameNotFoundException, DataAccessException {
+ NiFiUserDetails userDetails = null;
+ final List<String> chain = new ArrayList<>(request.getChain());
+
+ // ensure valid input
+ if (chain.isEmpty()) {
+ logger.warn("Malformed proxy chain: " + StringUtils.join(request.getChain()));
+ throw new UntrustedProxyException("Malformed proxy chain.");
+ }
+
+ NiFiUser proxy = null;
+
+ // process each part of the proxy chain
+ for (final ListIterator<String> chainIter = request.getChain().listIterator(chain.size()); chainIter.hasPrevious();) {
+ final String dn = chainIter.previous();
+
+ // if there is another dn after this one, this dn is a proxy for the request
+ if (chainIter.hasPrevious()) {
+ try {
+ // get the user details for the proxy
+ final NiFiUserDetails proxyDetails = getNiFiUserDetails(dn);
+ final NiFiUser user = proxyDetails.getNiFiUser();
+
+ // verify the proxy has the appropriate role
+ if (!user.getAuthorities().contains(Authority.ROLE_PROXY)) {
+ logger.warn(String.format("Proxy '%s' must have '%s' authority. Current authorities: %s", dn, Authority.ROLE_PROXY.toString(), StringUtils.join(user.getAuthorities(), ", ")));
+ throw new UntrustedProxyException(String.format("Untrusted proxy '%s' must be authorized with '%s'.", dn, Authority.ROLE_PROXY.toString()));
+ }
+
+ // if we've already encountered a proxy, update the chain
+ if (proxy != null) {
+ user.setChain(proxy);
+ }
+
+ // record this user as the proxy for the next user in the chain
+ proxy = user;
+ } catch (UsernameNotFoundException unfe) {
+ // if this proxy is a new user, conditionally create a new account automatically
+ if (properties.getSupportNewAccountRequests()) {
+ try {
+ logger.warn(String.format("Automatic account request generated for unknown proxy: %s", dn));
+
+ // attempt to create a new user account for the proxying client
+ userService.createPendingUserAccount(dn, "Automatic account request generated for unknown proxy.");
+ } catch (AdministrationException ae) {
+ throw new AuthenticationServiceException(String.format("Unable to create an account request for '%s': %s", dn, ae.getMessage()), ae);
+ } catch (IllegalArgumentException iae) {
+ // check then modified... account didn't exist when getting the user details but did when
+ // attempting to auto create the user account request
+ final String message = String.format("Account request was already submitted for '%s'", dn);
+ logger.warn(message);
+ throw new AccountStatusException(message) {
+ };
+ }
+ }
+
+ logger.warn(String.format("Untrusted proxy '%s' must be authorized with '%s' authority: %s", dn, Authority.ROLE_PROXY.toString(), unfe.getMessage()));
+ throw new UntrustedProxyException(String.format("Untrusted proxy '%s' must be authorized with '%s'.", dn, Authority.ROLE_PROXY.toString()));
+ } catch (AuthenticationException ae) {
+ logger.warn(String.format("Untrusted proxy '%s' must be authorized with '%s' authority: %s", dn, Authority.ROLE_PROXY.toString(), ae.getMessage()));
+ throw new UntrustedProxyException(String.format("Untrusted proxy '%s' must be authorized with '%s'.", dn, Authority.ROLE_PROXY.toString()));
+ }
+ } else {
+ userDetails = getNiFiUserDetails(dn);
+
+ // if we've already encountered a proxy, update the chain
+ if (proxy != null) {
+ final NiFiUser user = userDetails.getNiFiUser();
+ user.setChain(proxy);
+ }
+ }
+ }
+
+ return userDetails;
+ }
+
+ /**
+ * Loads the user details for the specified dn.
+ *
+ * @param dn user dn
+ * @return user detail
+ */
+ private NiFiUserDetails getNiFiUserDetails(String dn) {
+ try {
+ NiFiUser user = userService.checkAuthorization(dn);
+ return new NiFiUserDetails(user);
+ } catch (AdministrationException ase) {
+ throw new AuthenticationServiceException(String.format("An error occurred while accessing the user credentials for '%s': %s", dn, ase.getMessage()), ase);
+ } catch (AccountDisabledException | AccountPendingException e) {
+ throw new AccountStatusException(e.getMessage(), e) {
+ };
+ } catch (AccountNotFoundException anfe) {
+ throw new UsernameNotFoundException(anfe.getMessage());
+ }
+ }
+
+ /* setters */
+ public void setUserService(UserService userService) {
+ this.userService = userService;
+ }
+
+ public void setProperties(NiFiProperties properties) {
+ this.properties = properties;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java
index 4f7383e..bd468e4 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java
@@ -16,13 +16,18 @@
*/
package org.apache.nifi.web.security.jwt;
+import io.jsonwebtoken.JwtException;
import org.apache.commons.lang3.StringUtils;
+import org.apache.nifi.web.security.InvalidAuthenticationException;
import org.apache.nifi.web.security.NiFiAuthenticationFilter;
+import org.apache.nifi.web.security.token.NewAccountAuthorizationRequestToken;
+import org.apache.nifi.web.security.token.NiFiAuthorizationRequestToken;
+import org.apache.nifi.web.security.user.NewAccountRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.springframework.security.core.Authentication;
import javax.servlet.http.HttpServletRequest;
+import java.util.Arrays;
/**
*/
@@ -31,11 +36,12 @@ public class JwtAuthenticationFilter extends NiFiAuthenticationFilter {
private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class);
public static final String AUTHORIZATION = "Authorization";
- public static final String BEARER = "Bearer ";
+
+ private JwtService jwtService;
@Override
- public Authentication attemptAuthentication(final HttpServletRequest request) {
- // only support jwt login when running securely
+ public NiFiAuthorizationRequestToken attemptAuthentication(final HttpServletRequest request) {
+ // only suppport jwt login when running securely
if (!request.isSecure()) {
return null;
}
@@ -46,12 +52,28 @@ public class JwtAuthenticationFilter extends NiFiAuthenticationFilter {
final String authorization = request.getHeader(AUTHORIZATION);
// if there is no authorization header, we don't know the user
- if (authorization == null || !StringUtils.startsWith(authorization, BEARER)) {
+ if (authorization == null || !StringUtils.startsWith(authorization, "Bearer ")) {
return null;
} else {
// Extract the Base64 encoded token from the Authorization header
final String token = StringUtils.substringAfterLast(authorization, " ");
- return new JwtAuthenticationRequestToken(token);
+
+ try {
+ final String jwtPrincipal = jwtService.getAuthenticationFromToken(token);
+
+ if (isNewAccountRequest(request)) {
+ return new NewAccountAuthorizationRequestToken(new NewAccountRequest(Arrays.asList(jwtPrincipal), getJustification(request)));
+ } else {
+ return new NiFiAuthorizationRequestToken(Arrays.asList(jwtPrincipal));
+ }
+ } catch (JwtException e) {
+ throw new InvalidAuthenticationException(e.getMessage(), e);
+ }
}
}
+
+ public void setJwtService(JwtService jwtService) {
+ this.jwtService = jwtService;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationProvider.java
deleted file mode 100644
index 289cc87..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationProvider.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.jwt;
-
-import io.jsonwebtoken.JwtException;
-import org.apache.nifi.user.NiFiUser;
-import org.apache.nifi.web.security.InvalidAuthenticationException;
-import org.apache.nifi.web.security.token.NiFiAuthenticationToken;
-import org.apache.nifi.web.security.user.NiFiUserDetails;
-import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
-
-/**
- *
- */
-public class JwtAuthenticationProvider implements AuthenticationProvider {
-
- private final JwtService jwtService;
-
- public JwtAuthenticationProvider(JwtService jwtService) {
- this.jwtService = jwtService;
- }
-
- @Override
- public Authentication authenticate(Authentication authentication) throws AuthenticationException {
- final JwtAuthenticationRequestToken request = (JwtAuthenticationRequestToken) authentication;
-
- try {
- final String jwtPrincipal = jwtService.getAuthenticationFromToken(request.getToken());
- final NiFiUser user = new NiFiUser(jwtPrincipal);
- return new NiFiAuthenticationToken(new NiFiUserDetails(user));
- } catch (JwtException e) {
- throw new InvalidAuthenticationException(e.getMessage(), e);
- }
- }
-
- @Override
- public boolean supports(Class<?> authentication) {
- return JwtAuthenticationRequestToken.class.isAssignableFrom(authentication);
- }
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationRequestToken.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationRequestToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationRequestToken.java
deleted file mode 100644
index 0be30bf..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationRequestToken.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.jwt;
-
-import org.springframework.security.authentication.AbstractAuthenticationToken;
-
-/**
- * This is an authentication request with a given JWT token.
- */
-public class JwtAuthenticationRequestToken extends AbstractAuthenticationToken {
-
- private final String token;
-
- /**
- * Creates a representation of the jwt authentication request for a user.
- *
- * @param token The unique token for this user
- */
- public JwtAuthenticationRequestToken(final String token) {
- super(null);
- setAuthenticated(false);
- this.token = token;
- }
-
- @Override
- public Object getCredentials() {
- return null;
- }
-
- @Override
- public Object getPrincipal() {
- return token;
- }
-
- public String getToken() {
- return token;
- }
-
- @Override
- public String toString() {
- return getName();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/KerberosServiceFactoryBean.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/KerberosServiceFactoryBean.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/KerberosServiceFactoryBean.java
new file mode 100644
index 0000000..8b834a1
--- /dev/null
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/kerberos/KerberosServiceFactoryBean.java
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.kerberos;
+
+import org.apache.nifi.util.NiFiProperties;
+import org.springframework.beans.factory.FactoryBean;
+import org.springframework.core.io.FileSystemResource;
+import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
+import org.springframework.security.kerberos.authentication.KerberosTicketValidator;
+import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
+
+public class KerberosServiceFactoryBean implements FactoryBean<KerberosService> {
+
+ private KerberosService kerberosService = null;
+ private NiFiProperties properties = null;
+
+ @Override
+ public KerberosService getObject() throws Exception {
+ if (kerberosService == null && properties.isKerberosServiceSupportEnabled()) {
+ kerberosService = new KerberosService();
+ kerberosService.setKerberosServiceAuthenticationProvider(createKerberosServiceAuthenticationProvider());
+ }
+
+ return kerberosService;
+ }
+
+ @Override
+ public Class<?> getObjectType() {
+ return KerberosService.class;
+ }
+
+ @Override
+ public boolean isSingleton() {
+ return true;
+ }
+
+ public void setProperties(NiFiProperties properties) {
+ this.properties = properties;
+ }
+
+ private KerberosServiceAuthenticationProvider createKerberosServiceAuthenticationProvider() throws Exception {
+ KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider = new KerberosServiceAuthenticationProvider();
+ kerberosServiceAuthenticationProvider.setTicketValidator(createTicketValidator());
+ kerberosServiceAuthenticationProvider.setUserDetailsService(createAlternateKerberosUserDetailsService());
+ kerberosServiceAuthenticationProvider.afterPropertiesSet();
+ return kerberosServiceAuthenticationProvider;
+ }
+
+ private AlternateKerberosUserDetailsService createAlternateKerberosUserDetailsService() {
+ return new AlternateKerberosUserDetailsService();
+ }
+
+ private KerberosTicketValidator createTicketValidator() throws Exception {
+ SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
+ ticketValidator.setServicePrincipal(properties.getKerberosServicePrincipal());
+ ticketValidator.setKeyTabLocation(new FileSystemResource(properties.getKerberosKeytabLocation()));
+ ticketValidator.afterPropertiesSet();
+ return ticketValidator;
+ }
+}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/node/NodeAuthorizedUserFilter.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/node/NodeAuthorizedUserFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/node/NodeAuthorizedUserFilter.java
index 03e1400..a3e6c3c 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/node/NodeAuthorizedUserFilter.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/node/NodeAuthorizedUserFilter.java
@@ -30,7 +30,7 @@ import org.apache.nifi.authentication.AuthenticationResponse;
import org.apache.nifi.web.security.user.NiFiUserDetails;
import org.apache.nifi.user.NiFiUser;
import org.apache.nifi.util.NiFiProperties;
-import org.apache.nifi.web.security.token.NiFiAuthenticationToken;
+import org.apache.nifi.web.security.token.NiFiAuthorizationToken;
import org.apache.nifi.web.security.x509.X509CertificateExtractor;
import org.apache.nifi.web.security.x509.X509IdentityProvider;
import org.apache.nifi.web.util.WebUtils;
@@ -96,7 +96,7 @@ public class NodeAuthorizedUserFilter extends GenericFilterBean {
httpServletRequest.getRequestURL().toString(), request.getRemoteAddr()));
// create the authorized nifi token
- final NiFiAuthenticationToken token = new NiFiAuthenticationToken(userDetails);
+ final NiFiAuthorizationToken token = new NiFiAuthorizationToken(userDetails);
SecurityContextHolder.getContext().setAuthentication(token);
}
}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilter.java
index 5f5a3cd..7cf3eeb 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilter.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationFilter.java
@@ -16,12 +16,14 @@
*/
package org.apache.nifi.web.security.otp;
+import org.apache.nifi.web.security.InvalidAuthenticationException;
import org.apache.nifi.web.security.NiFiAuthenticationFilter;
+import org.apache.nifi.web.security.token.NiFiAuthorizationRequestToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.springframework.security.core.Authentication;
import javax.servlet.http.HttpServletRequest;
+import java.util.Arrays;
import java.util.regex.Pattern;
/**
@@ -39,8 +41,10 @@ public class OtpAuthenticationFilter extends NiFiAuthenticationFilter {
protected static final String ACCESS_TOKEN = "access_token";
+ private OtpService otpService;
+
@Override
- public Authentication attemptAuthentication(final HttpServletRequest request) {
+ public NiFiAuthorizationRequestToken attemptAuthentication(final HttpServletRequest request) {
// only support otp login when running securely
if (!request.isSecure()) {
return null;
@@ -53,18 +57,27 @@ public class OtpAuthenticationFilter extends NiFiAuthenticationFilter {
if (accessToken == null) {
return null;
} else {
- if (request.getContextPath().equals("/nifi-api")) {
- if (isDownloadRequest(request.getPathInfo())) {
- // handle download requests
- return new OtpAuthenticationRequestToken(accessToken, true);
+ try {
+ String identity = null;
+ if (request.getContextPath().equals("/nifi-api")) {
+ if (isDownloadRequest(request.getPathInfo())) {
+ // handle download requests
+ identity = otpService.getAuthenticationFromDownloadToken(accessToken);
+ }
+ } else {
+ // handle requests to other context paths (other UI extensions)
+ identity = otpService.getAuthenticationFromUiExtensionToken(accessToken);
}
- } else {
- // handle requests to other context paths (other UI extensions)
- return new OtpAuthenticationRequestToken(accessToken, false);
- }
- // the path is a support path for otp tokens
- return null;
+ // the path is a support path for otp tokens
+ if (identity == null) {
+ return null;
+ }
+
+ return new NiFiAuthorizationRequestToken(Arrays.asList(identity));
+ } catch (final OtpAuthenticationException oae) {
+ throw new InvalidAuthenticationException(oae.getMessage(), oae);
+ }
}
}
@@ -72,4 +85,8 @@ public class OtpAuthenticationFilter extends NiFiAuthenticationFilter {
return PROVENANCE_DOWNLOAD_PATTERN.matcher(pathInfo).matches() || QUEUE_DOWNLOAD_PATTERN.matcher(pathInfo).matches() || TEMPLATE_DOWNLOAD_PATTERN.matcher(pathInfo).matches();
}
+ public void setOtpService(OtpService otpService) {
+ this.otpService = otpService;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationProvider.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationProvider.java
deleted file mode 100644
index 411efc1..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationProvider.java
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.otp;
-
-import org.apache.nifi.user.NiFiUser;
-import org.apache.nifi.web.security.InvalidAuthenticationException;
-import org.apache.nifi.web.security.token.NiFiAuthenticationToken;
-import org.apache.nifi.web.security.user.NiFiUserDetails;
-import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
-
-/**
- *
- */
-public class OtpAuthenticationProvider implements AuthenticationProvider {
-
- private OtpService otpService;
-
- public OtpAuthenticationProvider(OtpService otpService) {
- this.otpService = otpService;
- }
-
- @Override
- public Authentication authenticate(Authentication authentication) throws AuthenticationException {
- final OtpAuthenticationRequestToken request = (OtpAuthenticationRequestToken) authentication;
-
- try {
- final String otpPrincipal;
- if (request.isDownloadToken()) {
- otpPrincipal = otpService.getAuthenticationFromDownloadToken(request.getToken());
- } else {
- otpPrincipal = otpService.getAuthenticationFromUiExtensionToken(request.getToken());
- }
- final NiFiUser user = new NiFiUser(otpPrincipal);
- return new NiFiAuthenticationToken(new NiFiUserDetails(user));
- } catch (OtpAuthenticationException e) {
- throw new InvalidAuthenticationException(e.getMessage(), e);
- }
- }
-
- @Override
- public boolean supports(Class<?> authentication) {
- return OtpAuthenticationRequestToken.class.isAssignableFrom(authentication);
- }
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationRequestToken.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationRequestToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationRequestToken.java
deleted file mode 100644
index e5dd6ee..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/otp/OtpAuthenticationRequestToken.java
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.otp;
-
-import org.springframework.security.authentication.AbstractAuthenticationToken;
-
-/**
- * This is an authentication request with a given OTP token.
- */
-public class OtpAuthenticationRequestToken extends AbstractAuthenticationToken {
-
- private final String token;
- private final boolean isDownloadToken;
-
- /**
- * Creates a representation of the otp authentication request for a user.
- *
- * @param token The unique token for this user
- */
- public OtpAuthenticationRequestToken(final String token, final boolean isDownloadToken) {
- super(null);
- setAuthenticated(false);
- this.token = token;
- this.isDownloadToken = isDownloadToken;
- }
-
- @Override
- public Object getCredentials() {
- return null;
- }
-
- @Override
- public Object getPrincipal() {
- return token;
- }
-
- public String getToken() {
- return token;
- }
-
- public boolean isDownloadToken() {
- return isDownloadToken;
- }
-
- @Override
- public String toString() {
- return getName();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/KerberosServiceFactoryBean.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/KerberosServiceFactoryBean.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/KerberosServiceFactoryBean.java
deleted file mode 100644
index bbe15d1..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/KerberosServiceFactoryBean.java
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.spring;
-
-import org.apache.nifi.util.NiFiProperties;
-import org.apache.nifi.web.security.kerberos.AlternateKerberosUserDetailsService;
-import org.apache.nifi.web.security.kerberos.KerberosService;
-import org.springframework.beans.factory.FactoryBean;
-import org.springframework.core.io.FileSystemResource;
-import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
-import org.springframework.security.kerberos.authentication.KerberosTicketValidator;
-import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
-
-public class KerberosServiceFactoryBean implements FactoryBean<KerberosService> {
-
- private KerberosService kerberosService = null;
- private NiFiProperties properties = null;
-
- @Override
- public KerberosService getObject() throws Exception {
- if (kerberosService == null && properties.isKerberosServiceSupportEnabled()) {
- kerberosService = new KerberosService();
- kerberosService.setKerberosServiceAuthenticationProvider(createKerberosServiceAuthenticationProvider());
- }
-
- return kerberosService;
- }
-
- @Override
- public Class<?> getObjectType() {
- return KerberosService.class;
- }
-
- @Override
- public boolean isSingleton() {
- return true;
- }
-
- public void setProperties(NiFiProperties properties) {
- this.properties = properties;
- }
-
- private KerberosServiceAuthenticationProvider createKerberosServiceAuthenticationProvider() throws Exception {
- KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider = new KerberosServiceAuthenticationProvider();
- kerberosServiceAuthenticationProvider.setTicketValidator(createTicketValidator());
- kerberosServiceAuthenticationProvider.setUserDetailsService(createAlternateKerberosUserDetailsService());
- kerberosServiceAuthenticationProvider.afterPropertiesSet();
- return kerberosServiceAuthenticationProvider;
- }
-
- private AlternateKerberosUserDetailsService createAlternateKerberosUserDetailsService() {
- return new AlternateKerberosUserDetailsService();
- }
-
- private KerberosTicketValidator createTicketValidator() throws Exception {
- SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
- ticketValidator.setServicePrincipal(properties.getKerberosServicePrincipal());
- ticketValidator.setKeyTabLocation(new FileSystemResource(properties.getKerberosKeytabLocation()));
- ticketValidator.afterPropertiesSet();
- return ticketValidator;
- }
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/LoginIdentityProviderFactoryBean.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/LoginIdentityProviderFactoryBean.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/LoginIdentityProviderFactoryBean.java
index 2ee187a..92a27ae 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/LoginIdentityProviderFactoryBean.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/spring/LoginIdentityProviderFactoryBean.java
@@ -16,6 +16,21 @@
*/
package org.apache.nifi.web.security.spring;
+import java.io.File;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.HashMap;
+import java.util.Map;
+import javax.xml.XMLConstants;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.transform.stream.StreamSource;
+import javax.xml.validation.Schema;
+import javax.xml.validation.SchemaFactory;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authentication.AuthenticationResponse;
import org.apache.nifi.authentication.LoginCredentials;
@@ -24,11 +39,11 @@ import org.apache.nifi.authentication.LoginIdentityProviderConfigurationContext;
import org.apache.nifi.authentication.LoginIdentityProviderInitializationContext;
import org.apache.nifi.authentication.LoginIdentityProviderLookup;
import org.apache.nifi.authentication.annotation.LoginIdentityProviderContext;
-import org.apache.nifi.authentication.exception.ProviderCreationException;
-import org.apache.nifi.authentication.exception.ProviderDestructionException;
import org.apache.nifi.authentication.generated.LoginIdentityProviders;
import org.apache.nifi.authentication.generated.Property;
import org.apache.nifi.authentication.generated.Provider;
+import org.apache.nifi.authorization.exception.ProviderCreationException;
+import org.apache.nifi.authorization.exception.ProviderDestructionException;
import org.apache.nifi.nar.ExtensionManager;
import org.apache.nifi.nar.NarCloseable;
import org.apache.nifi.util.NiFiProperties;
@@ -38,22 +53,6 @@ import org.springframework.beans.factory.DisposableBean;
import org.springframework.beans.factory.FactoryBean;
import org.xml.sax.SAXException;
-import javax.xml.XMLConstants;
-import javax.xml.bind.JAXBContext;
-import javax.xml.bind.JAXBElement;
-import javax.xml.bind.JAXBException;
-import javax.xml.bind.Unmarshaller;
-import javax.xml.transform.stream.StreamSource;
-import javax.xml.validation.Schema;
-import javax.xml.validation.SchemaFactory;
-import java.io.File;
-import java.lang.reflect.Constructor;
-import java.lang.reflect.Field;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
-import java.util.HashMap;
-import java.util.Map;
-
/**
*
*/
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationRequestToken.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationRequestToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationRequestToken.java
new file mode 100644
index 0000000..693d420
--- /dev/null
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationRequestToken.java
@@ -0,0 +1,40 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.token;
+
+import org.apache.nifi.web.security.user.NewAccountRequest;
+
+/**
+ * An authentication token that is used as an authorization request when submitting a new account.
+ */
+public class NewAccountAuthorizationRequestToken extends NiFiAuthorizationRequestToken {
+
+ final NewAccountRequest newAccountRequest;
+
+ public NewAccountAuthorizationRequestToken(final NewAccountRequest newAccountRequest) {
+ super(newAccountRequest.getChain());
+ this.newAccountRequest = newAccountRequest;
+ }
+
+ public String getJustification() {
+ return newAccountRequest.getJustification();
+ }
+
+ public NewAccountRequest getNewAccountRequest() {
+ return newAccountRequest;
+ }
+}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationToken.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationToken.java
new file mode 100644
index 0000000..de0fde6
--- /dev/null
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NewAccountAuthorizationToken.java
@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.token;
+
+import org.apache.nifi.web.security.user.NewAccountRequest;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+
+/**
+ * This is an Authentication Token for a user that has been authenticated but is not authorized to access the NiFi APIs. Typically, this authentication token is used successfully when requesting a
+ * NiFi account. Requesting any other endpoint would be rejected due to lack of roles.
+ */
+public class NewAccountAuthorizationToken extends AbstractAuthenticationToken {
+
+ final NewAccountRequest newAccountRequest;
+
+ public NewAccountAuthorizationToken(final NewAccountRequest newAccountRequest) {
+ super(null);
+ super.setAuthenticated(true);
+ this.newAccountRequest = newAccountRequest;
+ }
+
+ @Override
+ public Object getCredentials() {
+ return null;
+ }
+
+ @Override
+ public Object getPrincipal() {
+ return newAccountRequest;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationToken.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationToken.java
deleted file mode 100644
index f7964f5..0000000
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationToken.java
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.web.security.token;
-
-import org.springframework.security.authentication.AbstractAuthenticationToken;
-import org.springframework.security.core.userdetails.UserDetails;
-
-/**
- * An authentication token that represents an Authenticated and Authorized user of the NiFi Apis. The authorities are based off the specified UserDetails.
- */
-public class NiFiAuthenticationToken extends AbstractAuthenticationToken {
-
- final UserDetails nifiUserDetails;
-
- public NiFiAuthenticationToken(final UserDetails nifiUserDetails) {
- super(nifiUserDetails.getAuthorities());
- super.setAuthenticated(true);
- setDetails(nifiUserDetails);
- this.nifiUserDetails = nifiUserDetails;
- }
-
- @Override
- public Object getCredentials() {
- return nifiUserDetails.getPassword();
- }
-
- @Override
- public Object getPrincipal() {
- return nifiUserDetails;
- }
-
- @Override
- public final void setAuthenticated(boolean authenticated) {
- throw new IllegalArgumentException("Cannot change the authenticated state.");
- }
-}
http://git-wip-us.apache.org/repos/asf/nifi/blob/3f4ac315/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthorizationRequestToken.java
----------------------------------------------------------------------
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthorizationRequestToken.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthorizationRequestToken.java
new file mode 100644
index 0000000..c20aaf3
--- /dev/null
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthorizationRequestToken.java
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security.token;
+
+import java.util.Collections;
+import java.util.List;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+
+/**
+ * An authentication token that is used as an authorization request. The request has already been authenticated and is now going to be authorized.
+ * The request chain is specified during creation and is used authorize the user(s).
+ */
+public class NiFiAuthorizationRequestToken extends AbstractAuthenticationToken {
+
+ private final List<String> chain;
+
+ public NiFiAuthorizationRequestToken(final List<String> chain) {
+ super(null);
+ this.chain = chain;
+ }
+
+ @Override
+ public Object getCredentials() {
+ return null;
+ }
+
+ @Override
+ public Object getPrincipal() {
+ return chain;
+ }
+
+ public List<String> getChain() {
+ return Collections.unmodifiableList(chain);
+ }
+
+ @Override
+ public final void setAuthenticated(boolean authenticated) {
+ throw new IllegalArgumentException("Cannot change the authenticated state.");
+ }
+}