You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by bb...@apache.org on 2018/01/30 18:24:39 UTC
nifi-registry git commit: NIFIREG-131 Surface auth failure details
Repository: nifi-registry
Updated Branches:
refs/heads/master f93859a62 -> 754889b5a
NIFIREG-131 Surface auth failure details
Adds logging of root cause for exceptions passed to
AuthenticationEntryPoint.
AuthenticationEntryPoint writes exception message to response body.
This closes #96.
Signed-off-by: Bryan Bende <bb...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/nifi-registry/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi-registry/commit/754889b5
Tree: http://git-wip-us.apache.org/repos/asf/nifi-registry/tree/754889b5
Diff: http://git-wip-us.apache.org/repos/asf/nifi-registry/diff/754889b5
Branch: refs/heads/master
Commit: 754889b5a197155945cdc92147e9c71ca416a434
Parents: f93859a
Author: Kevin Doran <kd...@apache.org>
Authored: Tue Jan 30 11:47:49 2018 -0500
Committer: Bryan Bende <bb...@apache.org>
Committed: Tue Jan 30 13:24:21 2018 -0500
----------------------------------------------------------------------
.../security/NiFiRegistrySecurityConfig.java | 30 +++++++++++++++++---
.../X509IdentityAuthenticationProvider.java | 2 +-
2 files changed, 27 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/754889b5/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/NiFiRegistrySecurityConfig.java
----------------------------------------------------------------------
diff --git a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/NiFiRegistrySecurityConfig.java b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/NiFiRegistrySecurityConfig.java
index dc40f3b..9a5d18b 100644
--- a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/NiFiRegistrySecurityConfig.java
+++ b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/NiFiRegistrySecurityConfig.java
@@ -21,6 +21,7 @@ import org.apache.nifi.registry.security.authorization.Authorizer;
import org.apache.nifi.registry.web.security.authentication.AnonymousIdentityFilter;
import org.apache.nifi.registry.web.security.authentication.IdentityAuthenticationProvider;
import org.apache.nifi.registry.web.security.authentication.IdentityFilter;
+import org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException;
import org.apache.nifi.registry.web.security.authentication.jwt.JwtIdentityProvider;
import org.apache.nifi.registry.web.security.authentication.x509.X509IdentityAuthenticationProvider;
import org.apache.nifi.registry.web.security.authentication.x509.X509IdentityProvider;
@@ -143,7 +144,7 @@ public class NiFiRegistrySecurityConfig extends WebSecurityConfigurerAdapter {
private IdentityAuthenticationProvider jwtAuthenticationProvider() {
if (jwtAuthenticationProvider == null) {
- jwtAuthenticationProvider = new X509IdentityAuthenticationProvider(properties, authorizer, jwtIdentityProvider);
+ jwtAuthenticationProvider = new IdentityAuthenticationProvider(properties, authorizer, jwtIdentityProvider);
}
return jwtAuthenticationProvider;
}
@@ -156,9 +157,30 @@ public class NiFiRegistrySecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void commence(HttpServletRequest request,
HttpServletResponse response,
- AuthenticationException e) throws IOException, ServletException {
- logger.info("AuthenticationEntryPoint invoked as no user identity credentials were found in the request.");
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+ AuthenticationException authenticationException)
+ throws IOException, ServletException {
+
+ final int status;
+
+ // See X509IdentityAuthenticationProvider.buildAuthenticatedToken(...)
+ if (authenticationException instanceof UntrustedProxyException) {
+ // return a 403 response
+ status = HttpServletResponse.SC_FORBIDDEN;
+ logger.info("Identity in proxy chain not trusted to act as a proxy: {} Returning 403 response.", authenticationException.toString());
+
+ } else {
+ // return a 401 response
+ status = HttpServletResponse.SC_UNAUTHORIZED;
+ logger.info("Client could not be authenticated due to: {} Returning 401 response.", authenticationException.toString());
+ }
+
+ logger.debug("", authenticationException);
+
+ if (!response.isCommitted()) {
+ response.setStatus(status);
+ response.setContentType("text/plain");
+ response.getWriter().println(String.format("%s Contact the system administrator.", authenticationException.getLocalizedMessage()));
+ }
}
};
}
http://git-wip-us.apache.org/repos/asf/nifi-registry/blob/754889b5/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/x509/X509IdentityAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/x509/X509IdentityAuthenticationProvider.java b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/x509/X509IdentityAuthenticationProvider.java
index d4be5e9..aefdd5b 100644
--- a/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/x509/X509IdentityAuthenticationProvider.java
+++ b/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/x509/X509IdentityAuthenticationProvider.java
@@ -100,7 +100,7 @@ public class X509IdentityAuthenticationProvider extends IdentityAuthenticationPr
try {
PROXY_AUTHORIZABLE.authorize(authorizer, RequestAction.WRITE, proxy);
} catch (final AccessDeniedException e) {
- throw new UntrustedProxyException(String.format("Untrusted proxy %s", identity));
+ throw new UntrustedProxyException(String.format("Untrusted proxy [%s].", identity));
}
}
}