This is an automated email from the ASF dual-hosted git repository.
mcgilman pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new a9a4338fbb NIFI-15081 Deprecated Anonymous Authentication over HTTPS
for Removal (#10408)
a9a4338fbb is described below
commit a9a4338fbbc2bb1d3a409b12bbf471e6cd2ee270
Author: David Handermann <[email protected]>
AuthorDate: Fri Oct 10 16:25:32 2025 -0500
NIFI-15081 Deprecated Anonymous Authentication over HTTPS for Removal
(#10408)
---
nifi-docs/src/main/asciidoc/administration-guide.adoc | 2 ++
.../nifi/web/security/configuration/WebSecurityConfiguration.java | 8 ++++++++
2 files changed, 10 insertions(+)
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc
b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index 20c53da735..53cbb790af 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -382,6 +382,8 @@ A user cannot anonymously authenticate with a secured
instance of NiFi unless `n
If this is the case, NiFi must also be configured with an Authorizer that
supports authorizing an anonymous user. Currently, NiFi does not ship
with any Authorizers that support this. There is a feature request here to
help support it
(link:https://issues.apache.org/jira/browse/NIFI-2730[NIFI-2730^]).
+NOTE: Allowing anonymous authentication is deprecated for removal in
subsequent releases.
+
There are three scenarios to consider when setting
`nifi.security.allow.anonymous.authentication`. When the user is directly
calling an endpoint
with no attempted authentication then
`nifi.security.allow.anonymous.authentication` will control whether the request
is authenticated or rejected.
The other two scenarios are when the request is proxied. This could either be
proxied by a NiFi node (e.g. a node in the NiFi cluster) or by a separate
diff --git
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/WebSecurityConfiguration.java
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/WebSecurityConfiguration.java
index d8dfcad2a0..a8c84984ae 100644
---
a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/WebSecurityConfiguration.java
+++
b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/configuration/WebSecurityConfiguration.java
@@ -16,6 +16,8 @@
*/
package org.apache.nifi.web.security.configuration;
+import org.apache.nifi.deprecation.log.DeprecationLogger;
+import org.apache.nifi.deprecation.log.DeprecationLoggerFactory;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.StandardAuthenticationEntryPoint;
import
org.apache.nifi.web.security.anonymous.NiFiAnonymousAuthenticationFilter;
@@ -73,6 +75,8 @@ import java.util.stream.Collectors;
@EnableWebSecurity
@EnableMethodSecurity
public class WebSecurityConfiguration {
+ private static final DeprecationLogger deprecationLogger =
DeprecationLoggerFactory.getLogger(WebSecurityConfiguration.class);
+
private static final List<String> UNFILTERED_PATHS = List.of(
"/access/token",
"/access/logout/complete",
@@ -149,6 +153,10 @@ public class WebSecurityConfiguration {
.addFilterBefore(bearerTokenAuthenticationFilter,
AnonymousAuthenticationFilter.class)
.addFilterBefore(new AuthenticationUserFilter(),
ExceptionTranslationFilter.class);
+ if (properties.isAnonymousAuthenticationAllowed()) {
+ deprecationLogger.warn("Anonymous Authentication [{}] is
deprecated for removal", NiFiProperties.SECURITY_ANONYMOUS_AUTHENTICATION);
+ }
+
if (properties.isAnonymousAuthenticationAllowed() ||
properties.isHttpEnabled()) {
http.addFilterAfter(anonymousAuthenticationFilter,
AnonymousAuthenticationFilter.class);
}
