Repository: nifi Updated Branches: refs/heads/NIFI-655 7799deeaa -> 221459286
NIFI-655: - Extracting certificate validation into a utility class. - Fixing checkstyle issues. - Cleaning up the web security context. - Removing proxy chain checking where possible. Project: http://git-wip-us.apache.org/repos/asf/nifi/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/22145928 Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/22145928 Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/22145928 Branch: refs/heads/NIFI-655 Commit: 2214592865da1eda532e6a312b8ab9bf986d7aa3 Parents: 7799dee Author: Matt Gilman <[email protected]> Authored: Wed Nov 4 09:07:27 2015 -0500 Committer: Matt Gilman <[email protected]> Committed: Wed Nov 4 09:07:27 2015 -0500 ---------------------------------------------------------------------- .../web/NiFiWebApiSecurityConfiguration.java | 20 ++++-- .../web/security/RegistrationStatusFilter.java | 48 +++++++++++--- .../form/LoginAuthenticationFilter.java | 52 ++++++++++----- .../security/jwt/JwtAuthenticationFilter.java | 43 +------------ .../nifi/web/security/jwt/JwtService.java | 10 +-- .../security/x509/X509AuthenticationFilter.java | 13 +--- .../security/x509/X509CertificateValidator.java | 60 +++++++++++++++++ .../resources/nifi-web-security-context.xml | 68 +++----------------- 8 files changed, 169 insertions(+), 145 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi/blob/22145928/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java index 649f412..732c30e 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java @@ -30,7 +30,7 @@ import org.apache.nifi.web.security.jwt.JwtService; import org.apache.nifi.web.security.node.NodeAuthorizedUserFilter; import org.apache.nifi.web.security.x509.X509AuthenticationFilter; import org.apache.nifi.web.security.x509.X509CertificateExtractor; -import org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidator; +import org.apache.nifi.web.security.x509.X509CertificateValidator; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @@ -60,6 +60,7 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte private UserService userService; private AuthenticationUserDetailsService userDetailsService; private JwtService jwtService; + private X509CertificateValidator certificateValidator; private X509CertificateExtractor certificateExtractor; private X509PrincipalExtractor principalExtractor; private LoginIdentityProvider loginIdentityProvider; @@ -96,7 +97,7 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte http.addFilterBefore(buildRegistrationFilter("/registration"), UsernamePasswordAuthenticationFilter.class); } } - + // registration status - will check the status of a user's account registration (regardless if its based on login or not) http.addFilterBefore(buildRegistrationStatusFilter("/registration/status"), UsernamePasswordAuthenticationFilter.class); @@ -130,19 +131,21 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte loginFilter.setJwtService(jwtService); loginFilter.setLoginIdentityProvider(loginIdentityProvider); loginFilter.setUserDetailsService(userDetailsService); - loginFilter.setPrincipalExtractor(principalExtractor); loginFilter.setCertificateExtractor(certificateExtractor); + loginFilter.setPrincipalExtractor(principalExtractor); + loginFilter.setCertificateValidator(certificateValidator); return loginFilter; } private Filter buildRegistrationFilter(final String url) { return null; } - + private Filter buildRegistrationStatusFilter(final String url) { final RegistrationStatusFilter registrationFilter = new RegistrationStatusFilter(url); registrationFilter.setCertificateExtractor(certificateExtractor); registrationFilter.setPrincipalExtractor(principalExtractor); + registrationFilter.setCertificateValidator(certificateValidator); registrationFilter.setProperties(properties); registrationFilter.setUserDetailsService(userDetailsService); return registrationFilter; @@ -156,8 +159,6 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte final JwtAuthenticationFilter jwtFilter = new JwtAuthenticationFilter(); jwtFilter.setProperties(properties); jwtFilter.setJwtService(jwtService); - jwtFilter.setCertificateExtractor(certificateExtractor); - jwtFilter.setPrincipalExtractor(principalExtractor); jwtFilter.setAuthenticationManager(authenticationManager()); return jwtFilter; } @@ -167,7 +168,7 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte x509Filter.setProperties(properties); x509Filter.setPrincipalExtractor(principalExtractor); x509Filter.setCertificateExtractor(certificateExtractor); - x509Filter.setCertificateValidator(new OcspCertificateValidator(properties)); + x509Filter.setCertificateValidator(certificateValidator); x509Filter.setAuthenticationManager(authenticationManager()); return x509Filter; } @@ -204,6 +205,11 @@ public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapte } @Autowired + public void setCertificateValidator(X509CertificateValidator certificateValidator) { + this.certificateValidator = certificateValidator; + } + + @Autowired public void setCertificateExtractor(X509CertificateExtractor certificateExtractor) { this.certificateExtractor = certificateExtractor; } http://git-wip-us.apache.org/repos/asf/nifi/blob/22145928/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/RegistrationStatusFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/RegistrationStatusFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/RegistrationStatusFilter.java index d2ffdc2..6a9e6ab 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/RegistrationStatusFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/RegistrationStatusFilter.java @@ -18,8 +18,9 @@ package org.apache.nifi.web.security; import java.io.IOException; import java.io.PrintWriter; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; import java.security.cert.X509Certificate; -import java.util.ArrayList; import java.util.Arrays; import java.util.List; import javax.servlet.FilterChain; @@ -31,6 +32,7 @@ import org.apache.nifi.util.NiFiProperties; import org.apache.nifi.util.StringUtils; import org.apache.nifi.web.security.token.NiFiAuthenticationRequestToken; import org.apache.nifi.web.security.x509.X509CertificateExtractor; +import org.apache.nifi.web.security.x509.X509CertificateValidator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.authentication.AbstractAuthenticationToken; @@ -53,6 +55,7 @@ public class RegistrationStatusFilter extends AbstractAuthenticationProcessingFi private NiFiProperties properties; private AuthenticationUserDetailsService<NiFiAuthenticationRequestToken> userDetailsService; + private X509CertificateValidator certificateValidator; private X509CertificateExtractor certificateExtractor; private X509PrincipalExtractor principalExtractor; @@ -72,29 +75,54 @@ public class RegistrationStatusFilter extends AbstractAuthenticationProcessingFi // look for a certificate final X509Certificate certificate = certificateExtractor.extractClientCertificate(request); - + // if no certificate, just check the credentials if (certificate == null) { final LoginCredentials credentials = getLoginCredentials(request); - + // ensure we have something we can work with (certificate or crendentials) if (credentials == null) { throw new BadCredentialsException("Unable to check registration status as no credentials were included with the request."); } - + // without a certificate, this is not a proxied request final List<String> chain = Arrays.asList(credentials.getUsername()); - + // check authorization for this user checkAuthorization(chain); - + // no issues with authorization return new RegistrationStatusAuthenticationToken(credentials); } else { - // TODO - certificate validation - // we have a certificate so let's consider a proxy chain final String principal = extractPrincipal(certificate); + + try { + // validate the certificate + certificateValidator.validateClientCertificate(request, certificate); + } catch (CertificateExpiredException cee) { + final String message = String.format("Client certificate for (%s) is expired.", principal); + logger.info(message, cee); + if (logger.isDebugEnabled()) { + logger.debug("", cee); + } + return null; + } catch (CertificateNotYetValidException cnyve) { + final String message = String.format("Client certificate for (%s) is not yet valid.", principal); + logger.info(message, cnyve); + if (logger.isDebugEnabled()) { + logger.debug("", cnyve); + } + return null; + } catch (final Exception e) { + logger.info(e.getMessage()); + if (logger.isDebugEnabled()) { + logger.debug("", e); + } + return null; + } + + // ensure the proxy chain is authorized checkAuthorization(ProxiedEntitiesUtils.buildProxyChain(request, principal)); // no issues with authorization @@ -210,6 +238,10 @@ public class RegistrationStatusFilter extends AbstractAuthenticationProcessingFi } } + public void setCertificateValidator(X509CertificateValidator certificateValidator) { + this.certificateValidator = certificateValidator; + } + public void setCertificateExtractor(X509CertificateExtractor certificateExtractor) { this.certificateExtractor = certificateExtractor; } http://git-wip-us.apache.org/repos/asf/nifi/blob/22145928/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/LoginAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/LoginAuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/LoginAuthenticationFilter.java index c2ceb49..46e5b42 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/LoginAuthenticationFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/form/LoginAuthenticationFilter.java @@ -18,6 +18,8 @@ package org.apache.nifi.web.security.form; import java.io.IOException; import java.io.PrintWriter; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; import java.security.cert.X509Certificate; import java.util.List; import javax.servlet.FilterChain; @@ -31,6 +33,7 @@ import org.apache.nifi.web.security.ProxiedEntitiesUtils; import org.apache.nifi.web.security.jwt.JwtService; import org.apache.nifi.web.security.token.NiFiAuthenticationRequestToken; import org.apache.nifi.web.security.x509.X509CertificateExtractor; +import org.apache.nifi.web.security.x509.X509CertificateValidator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.authentication.AbstractAuthenticationToken; @@ -52,6 +55,7 @@ public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingF private AuthenticationUserDetailsService<NiFiAuthenticationRequestToken> userDetailsService; + private X509CertificateValidator certificateValidator; private X509CertificateExtractor certificateExtractor; private X509PrincipalExtractor principalExtractor; @@ -61,7 +65,7 @@ public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingF public LoginAuthenticationFilter(final String defaultFilterProcessesUrl) { super(defaultFilterProcessesUrl); - // do not continue filter chain... simply exchaning authentication for token + // do not continue filter chain... simply exchanging authentication for token setContinueChainBeforeSuccessfulAuthentication(false); } @@ -83,28 +87,40 @@ public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingF if (certificate == null) { throw new PreAuthenticatedCredentialsNotFoundException("Unable to extract client certificate after processing request with no login credentials specified."); } - - // TODO - certificate validation - // authorize the proxy if necessary + // extract the principal final String principal = extractPrincipal(certificate); + + try { + certificateValidator.validateClientCertificate(request, certificate); + } catch (CertificateExpiredException cee) { + final String message = String.format("Client certificate for (%s) is expired.", principal); + logger.info(message, cee); + if (logger.isDebugEnabled()) { + logger.debug("", cee); + } + return null; + } catch (CertificateNotYetValidException cnyve) { + final String message = String.format("Client certificate for (%s) is not yet valid.", principal); + logger.info(message, cnyve); + if (logger.isDebugEnabled()) { + logger.debug("", cnyve); + } + return null; + } catch (final Exception e) { + logger.info(e.getMessage()); + if (logger.isDebugEnabled()) { + logger.debug("", e); + } + return null; + } + + // authorize the proxy if necessary authorizeProxyIfNecessary(ProxiedEntitiesUtils.buildProxyChain(request, principal)); final LoginCredentials preAuthenticatedCredentials = new LoginCredentials(principal, null); return new LoginAuthenticationToken(preAuthenticatedCredentials); } else { - // look for a certificate - final X509Certificate certificate = certificateExtractor.extractClientCertificate(request); - - // if there was a certificate with this request see if it was proxying an end user request - if (certificate != null) { - // TODO - certificate validation - - // authorize the proxy if necessary - final String principal = extractPrincipal(certificate); - authorizeProxyIfNecessary(ProxiedEntitiesUtils.buildProxyChain(request, principal)); - } - if (loginIdentityProvider.authenticate(credentials)) { return new LoginAuthenticationToken(credentials); } else { @@ -206,6 +222,10 @@ public class LoginAuthenticationFilter extends AbstractAuthenticationProcessingF this.loginIdentityProvider = loginIdentityProvider; } + public void setCertificateValidator(X509CertificateValidator certificateValidator) { + this.certificateValidator = certificateValidator; + } + public void setCertificateExtractor(X509CertificateExtractor certificateExtractor) { this.certificateExtractor = certificateExtractor; } http://git-wip-us.apache.org/repos/asf/nifi/blob/22145928/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java index b02a2a3..22d9104 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java @@ -16,22 +16,16 @@ */ package org.apache.nifi.web.security.jwt; -import java.security.cert.X509Certificate; import java.util.Arrays; -import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.nifi.web.security.NiFiAuthenticationFilter; -import org.apache.nifi.web.security.ProxiedEntitiesUtils; import org.apache.nifi.web.security.token.NewAccountAuthenticationRequestToken; import org.apache.nifi.web.security.token.NiFiAuthenticationRequestToken; import org.apache.nifi.web.security.user.NewAccountRequest; -import org.apache.nifi.web.security.x509.X509CertificateExtractor; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.core.Authentication; -import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor; /** */ @@ -39,8 +33,6 @@ public class JwtAuthenticationFilter extends NiFiAuthenticationFilter { private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationFilter.class); - private X509CertificateExtractor certificateExtractor; - private X509PrincipalExtractor principalExtractor; private JwtService jwtService; @Override @@ -56,33 +48,10 @@ public class JwtAuthenticationFilter extends NiFiAuthenticationFilter { return null; } - // look for a certificate - final X509Certificate certificate = certificateExtractor.extractClientCertificate(request); - - final List<String> chain; - if (certificate == null) { - // without a certificate, this is not a proxied request - chain = Arrays.asList(jwtPrincipal); - } else { - // TODO - certificate validation - - // extract the principal - Object certificatePrincipal = principalExtractor.extractPrincipal(certificate); - final String principal = ProxiedEntitiesUtils.formatProxyDn(certificatePrincipal.toString()); - - // get the proxy chain and verify the principal is found - chain = ProxiedEntitiesUtils.buildProxyChain(request, principal); - - // ensure the chain contains the jwt principal - if (!chain.contains(jwtPrincipal)) { - throw new BadCredentialsException("Principal in user token not found in the proxy chain."); - } - } - if (isNewAccountRequest(request)) { - return new NewAccountAuthenticationRequestToken(new NewAccountRequest(chain, getJustification(request))); + return new NewAccountAuthenticationRequestToken(new NewAccountRequest(Arrays.asList(jwtPrincipal), getJustification(request))); } else { - return new NiFiAuthenticationRequestToken(chain); + return new NiFiAuthenticationRequestToken(Arrays.asList(jwtPrincipal)); } } @@ -90,12 +59,4 @@ public class JwtAuthenticationFilter extends NiFiAuthenticationFilter { this.jwtService = jwtService; } - public void setCertificateExtractor(X509CertificateExtractor certificateExtractor) { - this.certificateExtractor = certificateExtractor; - } - - public void setPrincipalExtractor(X509PrincipalExtractor principalExtractor) { - this.principalExtractor = principalExtractor; - } - } http://git-wip-us.apache.org/repos/asf/nifi/blob/22145928/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtService.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtService.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtService.java index 1ff67df..1b4f41f 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtService.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtService.java @@ -25,9 +25,9 @@ import org.springframework.security.core.Authentication; * */ public class JwtService { - + private final static String AUTHORIZATION = "Authorization"; - + /** * Gets the Authentication by extracting a JWT token from the specified request. * @@ -36,7 +36,7 @@ public class JwtService { */ public String getAuthentication(final HttpServletRequest request) { // TODO : actually extract/verify token - + // extract/verify token from incoming request final String authorization = request.getHeader(AUTHORIZATION); final String username = StringUtils.substringAfterLast(authorization, " "); @@ -51,10 +51,10 @@ public class JwtService { */ public void addToken(final HttpServletResponse response, final Authentication authentication) { // TODO : actually create real token - + // create a token the specified authentication String token = authentication.getName(); - + // add the token as a response header response.setHeader(AUTHORIZATION, "Bearer " + token); } http://git-wip-us.apache.org/repos/asf/nifi/blob/22145928/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationFilter.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationFilter.java index a52afcc..f84231f 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationFilter.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationFilter.java @@ -16,7 +16,6 @@ */ package org.apache.nifi.web.security.x509; -import org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidator; import java.security.cert.CertificateExpiredException; import java.security.cert.CertificateNotYetValidException; import java.security.cert.X509Certificate; @@ -42,7 +41,7 @@ public class X509AuthenticationFilter extends NiFiAuthenticationFilter { private X509PrincipalExtractor principalExtractor; private X509CertificateExtractor certificateExtractor; - private OcspCertificateValidator certificateValidator; + private X509CertificateValidator certificateValidator; @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) { @@ -64,8 +63,7 @@ public class X509AuthenticationFilter extends NiFiAuthenticationFilter { final String principal = ProxiedEntitiesUtils.formatProxyDn(certificatePrincipal.toString()); try { - // ensure the cert is valid - certificate.checkValidity(); + certificateValidator.validateClientCertificate(request, certificate); } catch (CertificateExpiredException cee) { final String message = String.format("Client certificate for (%s) is expired.", principal); logger.info(message, cee); @@ -80,11 +78,6 @@ public class X509AuthenticationFilter extends NiFiAuthenticationFilter { logger.debug("", cnyve); } return null; - } - - // validate the certificate in question - try { - certificateValidator.validate(request); } catch (final Exception e) { logger.info(e.getMessage()); if (logger.isDebugEnabled()) { @@ -102,7 +95,7 @@ public class X509AuthenticationFilter extends NiFiAuthenticationFilter { } /* setters */ - public void setCertificateValidator(OcspCertificateValidator certificateValidator) { + public void setCertificateValidator(X509CertificateValidator certificateValidator) { this.certificateValidator = certificateValidator; } http://git-wip-us.apache.org/repos/asf/nifi/blob/22145928/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509CertificateValidator.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509CertificateValidator.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509CertificateValidator.java new file mode 100644 index 0000000..06b5148 --- /dev/null +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509CertificateValidator.java @@ -0,0 +1,60 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.x509; + +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.X509Certificate; +import javax.servlet.http.HttpServletRequest; +import org.apache.nifi.web.security.x509.ocsp.CertificateStatusException; +import org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidator; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Extracts client certificates from Http requests. + */ +public class X509CertificateValidator { + + private final Logger logger = LoggerFactory.getLogger(getClass()); + + private OcspCertificateValidator ocspValidator; + + /** + * Extract the client certificate from the specified HttpServletRequest or null if none is specified. + * + * @param request the request + * @param certificate the certificate + * @throws java.security.cert.CertificateExpiredException cert is expired + * @throws java.security.cert.CertificateNotYetValidException cert is not yet valid + * @throws org.apache.nifi.web.security.x509.ocsp.CertificateStatusException ocsp validation issue + */ + public void validateClientCertificate(final HttpServletRequest request, final X509Certificate certificate) + throws CertificateExpiredException, CertificateNotYetValidException, CertificateStatusException { + + // ensure the cert is valid + certificate.checkValidity(); + + // perform ocsp validator if necessary + ocspValidator.validate(request); + } + + public void setOcspValidator(OcspCertificateValidator ocspValidator) { + this.ocspValidator = ocspValidator; + } + +} http://git-wip-us.apache.org/repos/asf/nifi/blob/22145928/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/resources/nifi-web-security-context.xml ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/resources/nifi-web-security-context.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/resources/nifi-web-security-context.xml index 52395c7..45d3ba3 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/resources/nifi-web-security-context.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/resources/nifi-web-security-context.xml @@ -17,49 +17,22 @@ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd";> -<!-- <sec:http create-session="stateless" auto-config="false" entry-point-ref="entryPoint"> - <sec:anonymous enabled="false"/> - <sec:custom-filter ref="nodeAuthorizedUserFilter" before="PRE_AUTH_FILTER"/> - <sec:custom-filter ref="x509Filter" position="PRE_AUTH_FILTER"/> - <sec:custom-filter ref="anonymousFilter" position="ANONYMOUS_FILTER"/> - </sec:http>--> - - <!-- enable method level security --> - <!--<sec:global-method-security pre-post-annotations="enabled"/>--> - - <!--<bean class="org.apache.nifi.web.security.NiFiSecurityWebApplicationInitializer"></bean>--> - - <!-- security config --> -<!-- <bean id="securityConfig" class="org.apache.nifi.web.security.NiFiSecurityConfig"> - <property name="properties" ref="nifiProperties"/> - <property name="userDetailsService" ref="userAuthorizationService"/> - <property name="authorizedUserFilter" ref="nodeAuthorizedUserFilter"/> - <property name="entryPoint" ref="entryPoint"/> - </bean>--> - - <!-- entry point reference --> - <!--<bean id="entryPoint" class="org.apache.nifi.web.security.authentication.NiFiAuthenticationEntryPoint"/>--> - - <!-- authentication manager --> -<!-- <sec:authentication-manager alias="authenticationManager"> - <sec:authentication-provider ref="preauthAuthProvider"/> - </sec:authentication-manager>--> - - <!-- pre-authentication provider --> -<!-- <bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider"> - <property name="preAuthenticatedUserDetailsService"> - <bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> - <property name="userDetailsService" ref="userAuthorizationService"/> - </bean> - </property> - </bean>--> - <!-- certificate extractor --> <bean id="certificateExtractor" class="org.apache.nifi.web.security.x509.X509CertificateExtractor"/> <!-- principal extractor --> <bean id="principalExtractor" class="org.apache.nifi.web.security.x509.SubjectDnX509PrincipalExtractor"/> + + <!-- ocsp validator --> + <bean id="ocspValidator" class="org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidator"> + <constructor-arg ref="nifiProperties"/> + </bean> + <!-- x509 validator --> + <bean id="x509Validator" class="org.apache.nifi.web.security.x509.X509CertificateValidator"> + <property name="ocspValidator" ref="ocspValidator"/> + </bean> + <!-- user details service --> <bean id="userDetailsService" class="org.apache.nifi.web.security.authorization.NiFiAuthorizationService"> <property name="userService" ref="userService"/> @@ -74,25 +47,4 @@ <property name="properties" ref="nifiProperties"/> </bean> - <!-- performs ocsp certificate validation --> -<!-- <bean id="ocspCertificateValidator" class="org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidator"> - <constructor-arg ref="nifiProperties"/> - </bean>--> - - <!-- custom x509 filter for checking for proxied users --> -<!-- <bean id="x509Filter" class="org.apache.nifi.web.security.x509.X509AuthenticationFilter"> - <property name="certificateValidator" ref="ocspCertificateValidator"/> - </bean>--> - - <!-- custom filter for checking for proxied users that are already authenticated --> -<!-- <bean id="nodeAuthorizedUserFilter" class="org.apache.nifi.web.security.authorization.NodeAuthorizedUserFilter"> - <property name="properties" ref="nifiProperties"/> - </bean>--> - - <!-- custom anonymous filter to assign default roles based on current operating mode --> -<!-- <bean id="anonymousFilter" class="org.apache.nifi.web.security.anonymous.NiFiAnonymousUserFilter"> - <property name="userService" ref="userService"/> - <property name="properties" ref="nifiProperties"/> - </bean>--> - </beans>
