This is an automated email from the ASF dual-hosted git repository.
exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new c73cc71202 NIFI-14413 Added User Agent to NiFi User Model
c73cc71202 is described below
commit c73cc71202f01d3e4223054824252958b344c8e1
Author: Artur Chyży <[email protected]>
AuthorDate: Thu Apr 3 13:34:42 2025 +0200
NIFI-14413 Added User Agent to NiFi User Model
This closes #9843
Signed-off-by: David Handermann <[email protected]>
---
.../web/security/NiFiAuthenticationFilter.java | 6 ++
.../security/NiFiAuthenticationRequestToken.java | 6 +-
.../web/security/NiFiWebAuthenticationDetails.java | 66 ++++++++++++++++++++++
...ava => NiFiWebAuthenticationDetailsSource.java} | 16 ++----
.../NiFiAnonymousAuthenticationFilter.java | 2 +-
.../NiFiAnonymousAuthenticationProvider.java | 2 +-
.../NiFiAnonymousAuthenticationRequestToken.java | 5 +-
.../AuthenticationSecurityConfiguration.java | 10 ++++
.../JwtAuthenticationSecurityConfiguration.java | 7 ++-
.../SamlAuthenticationSecurityConfiguration.java | 7 ++-
.../X509AuthenticationSecurityConfiguration.java | 7 ++-
.../StandardJwtAuthenticationConverter.java | 3 +-
.../security/token/NiFiAuthenticationToken.java | 7 ++-
.../security/x509/X509AuthenticationFilter.java | 8 ++-
.../security/x509/X509AuthenticationProvider.java | 4 +-
.../x509/X509AuthenticationRequestToken.java | 5 +-
.../NiFiAnonymousAuthenticationProviderTest.java | 27 ++++++---
.../StandardJwtAuthenticationConverterTest.java | 2 +-
.../x509/X509AuthenticationProviderTest.java | 19 +++++--
19 files changed, 167 insertions(+), 42 deletions(-)
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java
index a38c789bfd..eb24a3c61c 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationFilter.java
@@ -20,6 +20,7 @@ import org.apache.nifi.authorization.user.NiFiUserUtils;
import org.apache.nifi.util.NiFiProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import
org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
@@ -44,6 +45,7 @@ public abstract class NiFiAuthenticationFilter extends
GenericFilterBean {
private static final Logger log =
LoggerFactory.getLogger(NiFiAuthenticationFilter.class);
+ protected AuthenticationDetailsSource<HttpServletRequest,
NiFiWebAuthenticationDetails> authenticationDetailsSource;
private AuthenticationManager authenticationManager;
private NiFiProperties properties;
@@ -163,6 +165,10 @@ public abstract class NiFiAuthenticationFilter extends
GenericFilterBean {
this.authenticationManager = authenticationManager;
}
+ public void setAuthenticationDetailsSource(final
AuthenticationDetailsSource<HttpServletRequest, NiFiWebAuthenticationDetails>
authenticationDetailsSource) {
+ this.authenticationDetailsSource = authenticationDetailsSource;
+ }
+
public void setProperties(NiFiProperties properties) {
this.properties = properties;
}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationRequestToken.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationRequestToken.java
index 21397b6935..d05117fa1a 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationRequestToken.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiAuthenticationRequestToken.java
@@ -26,11 +26,13 @@ public abstract class NiFiAuthenticationRequestToken
extends AbstractAuthenticat
private final String clientAddress;
/**
- * @param clientAddress The address of the client making the request
+ * @param clientAddress The address of the client making the request
+ * @param authenticationDetails The authentication details of the client
making the request
*/
- public NiFiAuthenticationRequestToken(final String clientAddress) {
+ public NiFiAuthenticationRequestToken(final String clientAddress, final
Object authenticationDetails) {
super(null);
setAuthenticated(false);
+ setDetails(authenticationDetails);
this.clientAddress = clientAddress;
}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiWebAuthenticationDetails.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiWebAuthenticationDetails.java
new file mode 100644
index 0000000000..f37483e34f
--- /dev/null
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiWebAuthenticationDetails.java
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.web.security;
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.http.HttpHeaders;
+import
org.springframework.security.web.authentication.WebAuthenticationDetails;
+
+import java.util.Objects;
+
+/**
+ * Authentication details for NiFi web. Stores the user agent in addition to
the remote address and session id.
+ */
+public class NiFiWebAuthenticationDetails extends WebAuthenticationDetails {
+ private final String userAgent;
+
+ public NiFiWebAuthenticationDetails(final HttpServletRequest request) {
+ super(request);
+ this.userAgent = request.getHeader(HttpHeaders.USER_AGENT);
+ }
+
+ public NiFiWebAuthenticationDetails(final String remoteAddress, final
String sessionId, String userAgent) {
+ super(remoteAddress, sessionId);
+ this.userAgent = userAgent;
+ }
+
+ public String getUserAgent() {
+ return userAgent;
+ }
+
+ @Override
+ public boolean equals(final Object o) {
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+ if (!super.equals(o)) {
+ return false;
+ }
+ final NiFiWebAuthenticationDetails details =
(NiFiWebAuthenticationDetails) o;
+ return Objects.equals(userAgent, details.userAgent);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(super.hashCode(), userAgent);
+ }
+
+ @Override
+ public String toString() {
+ return "remoteAddress=[%s]
userAgent=[%s]".formatted(getRemoteAddress(), userAgent);
+ }
+}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationFilter.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiWebAuthenticationDetailsSource.java
similarity index 59%
copy from
nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationFilter.java
copy to
nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiWebAuthenticationDetailsSource.java
index 4ffbd2d298..ee213c06e7 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationFilter.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/NiFiWebAuthenticationDetailsSource.java
@@ -14,21 +14,17 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package org.apache.nifi.web.security.anonymous;
-
-import org.apache.nifi.web.security.NiFiAuthenticationFilter;
-import org.springframework.security.core.Authentication;
+package org.apache.nifi.web.security;
import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
/**
- * Extracts an anonymous authentication request from a specified servlet
request.
+ * AuthenticationDetailsSource implementation for NiFi Web.
*/
-public class NiFiAnonymousAuthenticationFilter extends
NiFiAuthenticationFilter {
-
+public class NiFiWebAuthenticationDetailsSource implements
AuthenticationDetailsSource<HttpServletRequest, NiFiWebAuthenticationDetails> {
@Override
- public Authentication attemptAuthentication(final HttpServletRequest
request) {
- // return the anonymous authentication request for this http request
- return new NiFiAnonymousAuthenticationRequestToken(request.isSecure(),
request.getRemoteAddr());
+ public NiFiWebAuthenticationDetails buildDetails(final HttpServletRequest
context) {
+ return new NiFiWebAuthenticationDetails(context);
}
}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationFilter.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationFilter.java
index 4ffbd2d298..2386fc9ee3 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationFilter.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationFilter.java
@@ -29,6 +29,6 @@ public class NiFiAnonymousAuthenticationFilter extends
NiFiAuthenticationFilter
@Override
public Authentication attemptAuthentication(final HttpServletRequest
request) {
// return the anonymous authentication request for this http request
- return new NiFiAnonymousAuthenticationRequestToken(request.isSecure(),
request.getRemoteAddr());
+ return new NiFiAnonymousAuthenticationRequestToken(request.isSecure(),
request.getRemoteAddr(), authenticationDetailsSource.buildDetails(request));
}
}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationProvider.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationProvider.java
index 7e107d0bb2..df6252e010 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationProvider.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationProvider.java
@@ -46,7 +46,7 @@ public class NiFiAnonymousAuthenticationProvider extends
NiFiAuthenticationProvi
throw new InvalidAuthenticationException("Anonymous authentication
has not been configured.");
}
- return new NiFiAuthenticationToken(new
NiFiUserDetails(StandardNiFiUser.populateAnonymousUser(null,
request.getClientAddress())));
+ return new NiFiAuthenticationToken(new
NiFiUserDetails(StandardNiFiUser.populateAnonymousUser(null,
request.getClientAddress())), null, request.getDetails());
}
@Override
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationRequestToken.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationRequestToken.java
index c0f0c936a1..a6ada34fd6 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationRequestToken.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationRequestToken.java
@@ -31,9 +31,10 @@ public class NiFiAnonymousAuthenticationRequestToken extends
NiFiAuthenticationR
* Creates a representation of the anonymous authentication request for a
user.
*
* @param clientAddress the address of the client making the request
+ * @param authenticationDetails the authentication details of teh client
making the request
*/
- public NiFiAnonymousAuthenticationRequestToken(final boolean
secureRequest, final String clientAddress) {
- super(clientAddress);
+ public NiFiAnonymousAuthenticationRequestToken(final boolean
secureRequest, final String clientAddress, final Object authenticationDetails) {
+ super(clientAddress, authenticationDetails);
setAuthenticated(false);
this.secureRequest = secureRequest;
}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/AuthenticationSecurityConfiguration.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/AuthenticationSecurityConfiguration.java
index cd2269e1fc..be8ed2d57d 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/AuthenticationSecurityConfiguration.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/AuthenticationSecurityConfiguration.java
@@ -16,9 +16,12 @@
*/
package org.apache.nifi.web.security.configuration;
+import jakarta.servlet.http.HttpServletRequest;
import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.nar.ExtensionManager;
import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.NiFiWebAuthenticationDetails;
+import org.apache.nifi.web.security.NiFiWebAuthenticationDetailsSource;
import
org.apache.nifi.web.security.anonymous.NiFiAnonymousAuthenticationFilter;
import
org.apache.nifi.web.security.anonymous.NiFiAnonymousAuthenticationProvider;
import org.apache.nifi.web.security.logout.LogoutRequestManager;
@@ -27,6 +30,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
/**
@@ -65,6 +69,7 @@ public class AuthenticationSecurityConfiguration {
final NiFiAnonymousAuthenticationFilter anonymousAuthenticationFilter
= new NiFiAnonymousAuthenticationFilter();
anonymousAuthenticationFilter.setProperties(niFiProperties);
anonymousAuthenticationFilter.setAuthenticationManager(authenticationManager);
+
anonymousAuthenticationFilter.setAuthenticationDetailsSource(authenticationDetailsSource());
return anonymousAuthenticationFilter;
}
@@ -90,4 +95,9 @@ public class AuthenticationSecurityConfiguration {
public NiFiAnonymousAuthenticationProvider
anonymousAuthenticationProvider() {
return new NiFiAnonymousAuthenticationProvider(niFiProperties,
authorizer);
}
+
+ @Bean
+ public AuthenticationDetailsSource<HttpServletRequest,
NiFiWebAuthenticationDetails> authenticationDetailsSource() {
+ return new NiFiWebAuthenticationDetailsSource();
+ }
}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/JwtAuthenticationSecurityConfiguration.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/JwtAuthenticationSecurityConfiguration.java
index f9acf2d812..8a6c26f998 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/JwtAuthenticationSecurityConfiguration.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/JwtAuthenticationSecurityConfiguration.java
@@ -16,8 +16,10 @@
*/
package org.apache.nifi.web.security.configuration;
+import jakarta.servlet.http.HttpServletRequest;
import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.NiFiWebAuthenticationDetails;
import
org.apache.nifi.web.security.jwt.converter.StandardJwtAuthenticationConverter;
import org.apache.nifi.web.security.StandardAuthenticationEntryPoint;
import org.apache.nifi.web.security.jwt.jws.StandardJwsSignerProvider;
@@ -38,6 +40,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import
org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
@@ -93,8 +96,10 @@ public class JwtAuthenticationSecurityConfiguration {
* @return Bearer Token Authentication Filter
*/
@Bean
- public BearerTokenAuthenticationFilter
bearerTokenAuthenticationFilter(final AuthenticationManager
authenticationManager) {
+ public BearerTokenAuthenticationFilter
bearerTokenAuthenticationFilter(final AuthenticationManager
authenticationManager,
+ final AuthenticationDetailsSource<HttpServletRequest,
NiFiWebAuthenticationDetails> authenticationDetailsSource) {
final BearerTokenAuthenticationFilter bearerTokenAuthenticationFilter
= new BearerTokenAuthenticationFilter(authenticationManager);
+
bearerTokenAuthenticationFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
bearerTokenAuthenticationFilter.setBearerTokenResolver(bearerTokenResolver());
bearerTokenAuthenticationFilter.setAuthenticationEntryPoint(authenticationEntryPoint());
return bearerTokenAuthenticationFilter;
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java
index e644f8e3e4..b8e4d6eb73 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/SamlAuthenticationSecurityConfiguration.java
@@ -18,10 +18,12 @@ package org.apache.nifi.web.security.configuration;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
+import jakarta.servlet.http.HttpServletRequest;
import org.apache.nifi.authorization.util.IdentityMappingUtil;
import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.StringUtils;
+import org.apache.nifi.web.security.NiFiWebAuthenticationDetails;
import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider;
import org.apache.nifi.web.security.logout.LogoutRequestManager;
import org.apache.nifi.web.security.saml2.SamlUrlPath;
@@ -41,6 +43,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.cache.caffeine.CaffeineCache;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import
org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
import
org.springframework.security.saml2.provider.service.authentication.OpenSaml5AuthenticationProvider;
@@ -142,9 +145,11 @@ public class SamlAuthenticationSecurityConfiguration {
* @return SAML 2 Authentication Filter
*/
@Bean
- public Saml2WebSsoAuthenticationFilter
saml2WebSsoAuthenticationFilter(final AuthenticationManager
authenticationManager) {
+ public Saml2WebSsoAuthenticationFilter
saml2WebSsoAuthenticationFilter(final AuthenticationManager
authenticationManager,
+ final AuthenticationDetailsSource<HttpServletRequest,
NiFiWebAuthenticationDetails> authenticationDetailsSource) {
final Saml2AuthenticationTokenConverter authenticationTokenConverter =
new Saml2AuthenticationTokenConverter(relyingPartyRegistrationResolver());
final Saml2WebSsoAuthenticationFilter filter = new
Saml2WebSsoAuthenticationFilter(authenticationTokenConverter,
SamlUrlPath.LOGIN_RESPONSE_REGISTRATION_ID.getPath());
+ filter.setAuthenticationDetailsSource(authenticationDetailsSource);
filter.setAuthenticationManager(authenticationManager);
filter.setAuthenticationSuccessHandler(getAuthenticationSuccessHandler());
filter.setAuthenticationRequestRepository(saml2AuthenticationRequestRepository());
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/X509AuthenticationSecurityConfiguration.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/X509AuthenticationSecurityConfiguration.java
index 5650096113..17f79286cf 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/X509AuthenticationSecurityConfiguration.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/X509AuthenticationSecurityConfiguration.java
@@ -16,8 +16,10 @@
*/
package org.apache.nifi.web.security.configuration;
+import jakarta.servlet.http.HttpServletRequest;
import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.util.NiFiProperties;
+import org.apache.nifi.web.security.NiFiWebAuthenticationDetails;
import org.apache.nifi.web.security.x509.SubjectDnX509PrincipalExtractor;
import org.apache.nifi.web.security.x509.X509AuthenticationFilter;
import org.apache.nifi.web.security.x509.X509AuthenticationProvider;
@@ -28,6 +30,7 @@ import
org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import
org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
@@ -50,12 +53,14 @@ public class X509AuthenticationSecurityConfiguration {
}
@Bean
- public X509AuthenticationFilter x509AuthenticationFilter(final
AuthenticationManager authenticationManager) {
+ public X509AuthenticationFilter x509AuthenticationFilter(final
AuthenticationManager authenticationManager,
+ final AuthenticationDetailsSource<HttpServletRequest,
NiFiWebAuthenticationDetails> authenticationDetailsSource) {
final X509AuthenticationFilter x509AuthenticationFilter = new
X509AuthenticationFilter();
x509AuthenticationFilter.setProperties(niFiProperties);
x509AuthenticationFilter.setCertificateExtractor(certificateExtractor());
x509AuthenticationFilter.setPrincipalExtractor(principalExtractor());
x509AuthenticationFilter.setAuthenticationManager(authenticationManager);
+
x509AuthenticationFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
return x509AuthenticationFilter;
}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverter.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverter.java
index 55a6b639fd..9ca20cdc34 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverter.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverter.java
@@ -56,7 +56,8 @@ public class StandardJwtAuthenticationConverter implements
Converter<Jwt, NiFiAu
@Override
public NiFiAuthenticationToken convert(final Jwt jwt) {
final NiFiUser user = getUser(jwt);
- return new NiFiAuthenticationToken(new NiFiUserDetails(user), jwt);
+ // Authentication Details will be populated in
JwtAuthenticationProvider
+ return new NiFiAuthenticationToken(new NiFiUserDetails(user), jwt,
null);
}
private NiFiUser getUser(final Jwt jwt) {
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationToken.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationToken.java
index 4d30118a58..b3d7f9e8de 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationToken.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/token/NiFiAuthenticationToken.java
@@ -34,7 +34,7 @@ public class NiFiAuthenticationToken extends
AbstractAuthenticationToken {
* @param userDetails Spring Security User Details
*/
public NiFiAuthenticationToken(final UserDetails userDetails) {
- this(userDetails, userDetails.getPassword());
+ this(userDetails, userDetails.getPassword(), null);
}
/**
@@ -42,11 +42,12 @@ public class NiFiAuthenticationToken extends
AbstractAuthenticationToken {
*
* @param userDetails Spring Security User Details
* @param credentials Optional credentials from authentication processing
+ * @param authenticationDetails Optional authentication details from
authentication processing
*/
- public NiFiAuthenticationToken(final UserDetails userDetails, final Object
credentials) {
+ public NiFiAuthenticationToken(final UserDetails userDetails, final Object
credentials, final Object authenticationDetails) {
super(userDetails.getAuthorities());
super.setAuthenticated(true);
- setDetails(userDetails);
+ setDetails(authenticationDetails);
this.nifiUserDetails = userDetails;
this.credentials = credentials;
}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationFilter.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationFilter.java
index b2665b61ef..1ee58c6616 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationFilter.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationFilter.java
@@ -55,7 +55,13 @@ public class X509AuthenticationFilter extends
NiFiAuthenticationFilter {
final String proxiedEntityIdpGroups =
request.getHeader(ProxiedEntitiesUtils.PROXY_ENTITY_GROUPS);
logger.debug("Raw {} - {}", ProxiedEntitiesUtils.PROXY_ENTITY_GROUPS,
proxiedEntityIdpGroups);
- return new X509AuthenticationRequestToken(proxiedEntitiesChain,
proxiedEntityIdpGroups, principalExtractor, certificates,
request.getRemoteAddr());
+ return new X509AuthenticationRequestToken(
+ proxiedEntitiesChain,
+ proxiedEntityIdpGroups,
+ principalExtractor,
+ certificates,
+ request.getRemoteAddr(),
+ authenticationDetailsSource.buildDetails(request));
}
/* setters */
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationProvider.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationProvider.java
index 88d3af42d5..8caed9a2ca 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationProvider.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationProvider.java
@@ -92,7 +92,7 @@ public class X509AuthenticationProvider extends
NiFiAuthenticationProvider {
if (StringUtils.isBlank(request.getProxiedEntitiesChain())) {
final String mappedIdentity =
mapIdentity(authenticationResponse.getIdentity());
final NiFiUser user = new
Builder().identity(mappedIdentity).groups(getUserGroups(mappedIdentity)).clientAddress(request.getClientAddress()).build();
- return new NiFiAuthenticationToken(new NiFiUserDetails(user),
certificates);
+ return new NiFiAuthenticationToken(new NiFiUserDetails(user),
certificates, request.getDetails());
} else {
// get the idp groups for the end-user that were sent over in the
X-ProxiedEntityGroups header
final Set<String> endUserIdpGroups =
ProxiedEntitiesUtils.tokenizeProxiedEntityGroups(request.getProxiedEntityGroups());
@@ -142,7 +142,7 @@ public class X509AuthenticationProvider extends
NiFiAuthenticationProvider {
logProxyChain(proxy);
}
- return new NiFiAuthenticationToken(new NiFiUserDetails(proxy),
certificates);
+ return new NiFiAuthenticationToken(new NiFiUserDetails(proxy),
certificates, request.getDetails());
}
}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationRequestToken.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationRequestToken.java
index 857ea7b541..1a660a8201 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationRequestToken.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/x509/X509AuthenticationRequestToken.java
@@ -37,11 +37,12 @@ public class X509AuthenticationRequestToken extends
NiFiAuthenticationRequestTok
*
* @param proxiedEntitiesChain The http servlet request
* @param certificates The certificate chain
+ * @param authenticationDetails The authentication details of the client
making the request
*/
public X509AuthenticationRequestToken(final String proxiedEntitiesChain,
final String proxiedEntityGroups,
final X509PrincipalExtractor
principalExtractor, final X509Certificate[] certificates,
- final String clientAddress) {
- super(clientAddress);
+ final String clientAddress, final
Object authenticationDetails) {
+ super(clientAddress, authenticationDetails);
setAuthenticated(false);
this.proxiedEntitiesChain = proxiedEntitiesChain;
this.proxiedEntityGroups = proxiedEntityGroups;
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationProviderTest.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationProviderTest.java
index 7d2782b545..56c7bd3e44 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationProviderTest.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/anonymous/NiFiAnonymousAuthenticationProviderTest.java
@@ -21,6 +21,7 @@ import org.apache.nifi.authorization.user.NiFiUserDetails;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.StringUtils;
import org.apache.nifi.web.security.InvalidAuthenticationException;
+import org.apache.nifi.web.security.NiFiWebAuthenticationDetails;
import org.apache.nifi.web.security.token.NiFiAuthenticationToken;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
@@ -39,10 +40,13 @@ public class NiFiAnonymousAuthenticationProviderTest {
final NiFiAnonymousAuthenticationProvider
anonymousAuthenticationProvider = new
NiFiAnonymousAuthenticationProvider(nifiProperties, mock(Authorizer.class));
- final NiFiAnonymousAuthenticationRequestToken authenticationRequest =
new NiFiAnonymousAuthenticationRequestToken(false, StringUtils.EMPTY);
+ final NiFiAnonymousAuthenticationRequestToken authenticationRequest =
new NiFiAnonymousAuthenticationRequestToken(
+ false,
+ StringUtils.EMPTY,
+ new NiFiWebAuthenticationDetails("127.0.0.1", "someSessionId",
"someUserAgent"));
final NiFiAuthenticationToken authentication =
(NiFiAuthenticationToken)
anonymousAuthenticationProvider.authenticate(authenticationRequest);
- final NiFiUserDetails userDetails = (NiFiUserDetails)
authentication.getDetails();
+ final NiFiUserDetails userDetails = (NiFiUserDetails)
authentication.getPrincipal();
assertTrue(userDetails.getNiFiUser().isAnonymous());
}
@@ -53,10 +57,13 @@ public class NiFiAnonymousAuthenticationProviderTest {
final NiFiAnonymousAuthenticationProvider
anonymousAuthenticationProvider = new
NiFiAnonymousAuthenticationProvider(nifiProperties, mock(Authorizer.class));
- final NiFiAnonymousAuthenticationRequestToken authenticationRequest =
new NiFiAnonymousAuthenticationRequestToken(false, StringUtils.EMPTY);
+ final NiFiAnonymousAuthenticationRequestToken authenticationRequest =
new NiFiAnonymousAuthenticationRequestToken(
+ false,
+ StringUtils.EMPTY,
+ new NiFiWebAuthenticationDetails("127.0.0.1", "someSessionId",
"someUserAgent"));
final NiFiAuthenticationToken authentication =
(NiFiAuthenticationToken)
anonymousAuthenticationProvider.authenticate(authenticationRequest);
- final NiFiUserDetails userDetails = (NiFiUserDetails)
authentication.getDetails();
+ final NiFiUserDetails userDetails = (NiFiUserDetails)
authentication.getPrincipal();
assertTrue(userDetails.getNiFiUser().isAnonymous());
}
@@ -67,7 +74,10 @@ public class NiFiAnonymousAuthenticationProviderTest {
final NiFiAnonymousAuthenticationProvider
anonymousAuthenticationProvider = new
NiFiAnonymousAuthenticationProvider(nifiProperties, mock(Authorizer.class));
- final NiFiAnonymousAuthenticationRequestToken authenticationRequest =
new NiFiAnonymousAuthenticationRequestToken(true, StringUtils.EMPTY);
+ final NiFiAnonymousAuthenticationRequestToken authenticationRequest =
new NiFiAnonymousAuthenticationRequestToken(
+ true,
+ StringUtils.EMPTY,
+ new NiFiWebAuthenticationDetails("127.0.0.1", "someSessionId",
"someUserAgent"));
assertThrows(InvalidAuthenticationException.class, () ->
anonymousAuthenticationProvider.authenticate(authenticationRequest));
}
@@ -79,10 +89,13 @@ public class NiFiAnonymousAuthenticationProviderTest {
final NiFiAnonymousAuthenticationProvider
anonymousAuthenticationProvider = new
NiFiAnonymousAuthenticationProvider(nifiProperties, mock(Authorizer.class));
- final NiFiAnonymousAuthenticationRequestToken authenticationRequest =
new NiFiAnonymousAuthenticationRequestToken(true, StringUtils.EMPTY);
+ final NiFiAnonymousAuthenticationRequestToken authenticationRequest =
new NiFiAnonymousAuthenticationRequestToken(
+ true,
+ StringUtils.EMPTY,
+ new NiFiWebAuthenticationDetails("127.0.0.1", "someSessionId",
"someUserAgent"));
final NiFiAuthenticationToken authentication =
(NiFiAuthenticationToken)
anonymousAuthenticationProvider.authenticate(authenticationRequest);
- final NiFiUserDetails userDetails = (NiFiUserDetails)
authentication.getDetails();
+ final NiFiUserDetails userDetails = (NiFiUserDetails)
authentication.getPrincipal();
assertTrue(userDetails.getNiFiUser().isAnonymous());
}
}
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverterTest.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverterTest.java
index 3cae7b018a..d4ee688cde 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverterTest.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/jwt/converter/StandardJwtAuthenticationConverterTest.java
@@ -106,7 +106,7 @@ public class StandardJwtAuthenticationConverterTest {
assertNotNull(authenticationToken);
assertEquals(USERNAME, authenticationToken.toString());
- final NiFiUserDetails details = (NiFiUserDetails)
authenticationToken.getDetails();
+ final NiFiUserDetails details = (NiFiUserDetails)
authenticationToken.getPrincipal();
final NiFiUser user = details.getNiFiUser();
final Set<String> expectedGroups =
Collections.singleton(AUTHORIZER_GROUP);
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/x509/X509AuthenticationProviderTest.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/x509/X509AuthenticationProviderTest.java
index 4b87da2d95..26bcaff808 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/x509/X509AuthenticationProviderTest.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/x509/X509AuthenticationProviderTest.java
@@ -34,6 +34,7 @@ import org.apache.nifi.authorization.user.NiFiUserDetails;
import org.apache.nifi.authorization.user.StandardNiFiUser;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.InvalidAuthenticationException;
+import org.apache.nifi.web.security.NiFiWebAuthenticationDetails;
import org.apache.nifi.web.security.UntrustedProxyException;
import org.apache.nifi.web.security.token.NiFiAuthenticationToken;
import org.junit.jupiter.api.BeforeEach;
@@ -103,7 +104,7 @@ public class X509AuthenticationProviderTest {
@Test
public void testNoProxyChain() {
final NiFiAuthenticationToken auth = (NiFiAuthenticationToken)
x509AuthenticationProvider.authenticate(getX509Request("", IDENTITY_1));
- final NiFiUser user = ((NiFiUserDetails)
auth.getDetails()).getNiFiUser();
+ final NiFiUser user = ((NiFiUserDetails)
auth.getPrincipal()).getNiFiUser();
assertNotNull(user);
assertEquals(IDENTITY_1, user.getIdentity());
@@ -118,7 +119,7 @@ public class X509AuthenticationProviderTest {
@Test
public void testOneProxy() {
final NiFiAuthenticationToken auth = (NiFiAuthenticationToken)
x509AuthenticationProvider.authenticate(getX509Request(buildProxyChain(IDENTITY_1),
PROXY_1));
- final NiFiUser user = ((NiFiUserDetails)
auth.getDetails()).getNiFiUser();
+ final NiFiUser user = ((NiFiUserDetails)
auth.getPrincipal()).getNiFiUser();
assertNotNull(user);
assertEquals(IDENTITY_1, user.getIdentity());
@@ -139,7 +140,7 @@ public class X509AuthenticationProviderTest {
x509AuthenticationProvider = new
X509AuthenticationProvider(certificateIdentityProvider, authorizer, properties);
final NiFiAuthenticationToken auth = (NiFiAuthenticationToken)
x509AuthenticationProvider.authenticate(getX509Request(buildProxyChain(ANONYMOUS),
PROXY_1));
- final NiFiUser user = ((NiFiUserDetails)
auth.getDetails()).getNiFiUser();
+ final NiFiUser user = ((NiFiUserDetails)
auth.getPrincipal()).getNiFiUser();
assertNotNull(user);
assertEquals(StandardNiFiUser.ANONYMOUS_IDENTITY, user.getIdentity());
@@ -158,7 +159,7 @@ public class X509AuthenticationProviderTest {
@Test
public void testTwoProxies() {
final NiFiAuthenticationToken auth = (NiFiAuthenticationToken)
x509AuthenticationProvider.authenticate(getX509Request(buildProxyChain(IDENTITY_1,
PROXY_2), PROXY_1));
- final NiFiUser user = ((NiFiUserDetails)
auth.getDetails()).getNiFiUser();
+ final NiFiUser user = ((NiFiUserDetails)
auth.getPrincipal()).getNiFiUser();
assertNotNull(user);
assertEquals(IDENTITY_1, user.getIdentity());
@@ -188,7 +189,7 @@ public class X509AuthenticationProviderTest {
x509AuthenticationProvider = new
X509AuthenticationProvider(certificateIdentityProvider, authorizer, properties);
final NiFiAuthenticationToken auth = (NiFiAuthenticationToken)
x509AuthenticationProvider.authenticate(getX509Request(buildProxyChain(IDENTITY_1,
ANONYMOUS), PROXY_1));
- final NiFiUser user = ((NiFiUserDetails)
auth.getDetails()).getNiFiUser();
+ final NiFiUser user = ((NiFiUserDetails)
auth.getPrincipal()).getNiFiUser();
assertNotNull(user);
assertEquals(IDENTITY_1, user.getIdentity());
@@ -268,7 +269,13 @@ public class X509AuthenticationProviderTest {
}
private X509AuthenticationRequestToken getX509Request(final String
proxyChain, final String proxiedEntityGroups, final String identity) {
- return new X509AuthenticationRequestToken(proxyChain,
proxiedEntityGroups, extractor, new
X509Certificate[]{getX509Certificate(identity)}, "");
+ return new X509AuthenticationRequestToken(
+ proxyChain,
+ proxiedEntityGroups,
+ extractor,
+ new X509Certificate[]{getX509Certificate(identity)},
+ "",
+ new NiFiWebAuthenticationDetails("127.0.0.1", "someSessionId",
"someUserAgent"));
}
private X509Certificate getX509Certificate(final String identity) {
