authorized.

mcgilman Tue, 01 Dec 2015 08:44:52 -0800

NIFI-655:
- Ensuring the access token is not replicated when the user is already 
authenticated/authorized.


Project: http://git-wip-us.apache.org/repos/asf/nifi/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/a84e505b
Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/a84e505b
Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/a84e505b

Branch: refs/heads/master
Commit: a84e505bcd97c79a4c91ed7f34f18988c11bc267
Parents: 99016a8
Author: Matt Gilman <[email protected]>
Authored: Mon Nov 30 14:47:30 2015 -0500
Committer: Matt Gilman <[email protected]>
Committed: Mon Nov 30 14:47:30 2015 -0500

----------------------------------------------------------------------
 .../src/main/java/org/apache/nifi/web/api/AccessResource.java   | 5 ++---
 .../main/java/org/apache/nifi/web/api/ApplicationResource.java  | 5 +++++
 .../apache/nifi/web/security/jwt/JwtAuthenticationFilter.java   | 2 +-
 3 files changed, 8 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/nifi/blob/a84e505b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
----------------------------------------------------------------------
diff --git 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
index f2b23c2..c67a314 100644
--- 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
+++ 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessResource.java
@@ -58,6 +58,7 @@ import org.apache.nifi.web.api.request.ClientIdParameter;
 import org.apache.nifi.web.security.InvalidAuthenticationException;
 import org.apache.nifi.web.security.ProxiedEntitiesUtils;
 import org.apache.nifi.web.security.UntrustedProxyException;
+import org.apache.nifi.web.security.jwt.JwtAuthenticationFilter;
 import org.apache.nifi.web.security.jwt.JwtService;
 import org.apache.nifi.web.security.token.LoginAuthenticationToken;
 import org.apache.nifi.web.security.token.NiFiAuthenticationRequestToken;
@@ -85,8 +86,6 @@ public class AccessResource extends ApplicationResource {
 
     private static final Logger logger = 
LoggerFactory.getLogger(AccessResource.class);
 
-    private static final String AUTHORIZATION = "Authorization";
-
     private NiFiProperties properties;
 
     private LoginIdentityProvider loginIdentityProvider;
@@ -183,7 +182,7 @@ public class AccessResource extends ApplicationResource {
             // if there is not certificate, consider a token
             if (certificates == null) {
                 // look for an authorization token
-                final String authorization = 
httpServletRequest.getHeader(AUTHORIZATION);
+                final String authorization = 
httpServletRequest.getHeader(JwtAuthenticationFilter.AUTHORIZATION);
 
                 // if there is no authorization header, we don't know the user
                 if (authorization == null) {

http://git-wip-us.apache.org/repos/asf/nifi/blob/a84e505b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ApplicationResource.java
----------------------------------------------------------------------
diff --git 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ApplicationResource.java
 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ApplicationResource.java
index d0c36d4..e4afd05 100644
--- 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ApplicationResource.java
+++ 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ApplicationResource.java
@@ -54,6 +54,7 @@ import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
 import org.apache.commons.lang3.builder.ToStringStyle;
 import org.apache.nifi.user.NiFiUser;
+import org.apache.nifi.web.security.jwt.JwtAuthenticationFilter;
 import org.apache.nifi.web.security.user.NiFiUserUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -367,7 +368,11 @@ public abstract class ApplicationResource {
             // add the certificate DN to the proxy chain
             final NiFiUser user = NiFiUserUtils.getNiFiUser();
             if (user != null) {
+                // add the proxied user details
                 result.put(PROXIED_ENTITIES_CHAIN_HTTP_HEADER, 
ProxiedEntitiesUtils.buildProxiedEntitiesChainString(user));
+
+                // remove the access token if present, since the user is 
already authenticated/authorized
+                result.remove(JwtAuthenticationFilter.AUTHORIZATION);
             }
 
             // add the user's authorities (if any) to the headers

http://git-wip-us.apache.org/repos/asf/nifi/blob/a84e505b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java
 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java
index 246cbd7..2f18406 100644
--- 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java
+++ 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java
@@ -36,7 +36,7 @@ public class JwtAuthenticationFilter extends 
NiFiAuthenticationFilter {
 
     private static final Logger logger = 
LoggerFactory.getLogger(JwtAuthenticationFilter.class);
 
-    private static final String AUTHORIZATION = "Authorization";
+    public static final String AUTHORIZATION = "Authorization";
 
     private JwtService jwtService;

[43/51] [abbrv] nifi git commit: NIFI-655: - Ensuring the access token is not replicated when the user is already authenticated/authorized.

Reply via email to