[nifi] branch main updated: NIFI-8510 - Added a more specific CSRF cookie request matcher to avoid issues with CSRF 403 response.

Mon, 03 May 2021 11:31:08 -0700 

This is an automated email from the ASF dual-hosted git repository.

exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new e1697a8  NIFI-8510 - Added a more specific CSRF cookie request matcher 
to avoid issues with CSRF 403 response.
e1697a8 is described below

commit e1697a8d5874b3a2e15b4cafee05cc60465f97a1
Author: Nathan Gough <[email protected]>
AuthorDate: Mon May 3 12:43:56 2021 -0400

    NIFI-8510 - Added a more specific CSRF cookie request matcher to avoid 
issues with CSRF 403 response.
    
    This closes #5050
    
    Signed-off-by: David Handermann <[email protected]>
---
 .../apache/nifi/web/CsrfCookieRequestMatcher.java  | 40 ++++++++++++++++++++++
 .../nifi/web/NiFiWebApiSecurityConfiguration.java  |  3 +-
 2 files changed, 41 insertions(+), 2 deletions(-)

diff --git 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/CsrfCookieRequestMatcher.java
 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/CsrfCookieRequestMatcher.java
new file mode 100644
index 0000000..a10dbf3
--- /dev/null
+++ 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/CsrfCookieRequestMatcher.java
@@ -0,0 +1,40 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web;
+
+import org.apache.nifi.web.security.jwt.NiFiBearerTokenResolver;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.web.util.WebUtils;
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * Request Matcher checks for the existence of a cookie with the configured 
name
+ */
+public class CsrfCookieRequestMatcher implements RequestMatcher {
+    private static final String DEFAULT_CSRF_COOKIE_NAME = 
NiFiBearerTokenResolver.JWT_COOKIE_NAME;
+
+    /**
+     * Matches request based on the presence of a cookie found using the 
configured name
+     *
+     * @param httpServletRequest HTTP Servlet Request
+     * @return Request matching status
+     */
+    @Override
+    public boolean matches(final HttpServletRequest httpServletRequest) {
+        return WebUtils.getCookie(httpServletRequest, 
DEFAULT_CSRF_COOKIE_NAME) != null;
+    }
+}
\ No newline at end of file
diff --git 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
index cf1e525..ceaa256 100644
--- 
a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
+++ 
b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
@@ -48,7 +48,6 @@ import 
org.springframework.security.web.authentication.AnonymousAuthenticationFi
 import 
org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.util.matcher.AndRequestMatcher;
-import 
org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@@ -130,7 +129,7 @@ public class NiFiWebApiSecurityConfiguration extends 
WebSecurityConfigurerAdapte
                 .rememberMe().disable()
                 .authorizeRequests().anyRequest().fullyAuthenticated().and()
                 
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
-                .csrf().requireCsrfProtectionMatcher(new 
AndRequestMatcher(CsrfFilter.DEFAULT_CSRF_MATCHER, new 
RequestHeaderRequestMatcher("Cookie"))).csrfTokenRepository(csrfRepository);
+                .csrf().requireCsrfProtectionMatcher(new 
AndRequestMatcher(CsrfFilter.DEFAULT_CSRF_MATCHER, new 
CsrfCookieRequestMatcher())).csrfTokenRepository(csrfRepository);
 
         // x509
         http.addFilterBefore(x509FilterBean(), 
AnonymousAuthenticationFilter.class);

Reply via email to