[jira] [Updated] (NIFI-7870) Fix anonymous access control for advanced UI resources

Tue, 13 Oct 2020 12:42:14 -0700 


     [ 
https://issues.apache.org/jira/browse/NIFI-7870?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nathan Gough updated NIFI-7870:
-------------------------------
    Description: 
-The X-Content-Type header was added in NiFi 1.12.0, which blocks resources in 
the browser if they do not have the content type added. It appears that some 
'advanced UI' resources do not have the content type applied to their resources 
and are blocked from loading.-

On further inspection, it appears that explicitly disallowing anonymous access 
has resulted in some static resources in the NiFi advanced UI's WAR checking 
whether the anonymous user should be able to access them. The anonymous access 
was intended to be used on the NiFi API endpoints, and not static resources.

  was:The X-Content-Type header was added in NiFi 1.12.0, which blocks 
resources in the browser if they do not have the content type added. It appears 
that some 'advanced UI' resources do not have the content type applied to their 
resources and are blocked from loading.


> Fix anonymous access control for advanced UI resources
> ------------------------------------------------------
>
>                 Key: NIFI-7870
>                 URL: https://issues.apache.org/jira/browse/NIFI-7870
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core UI
>    Affects Versions: 1.12.0, 1.12.1
>            Reporter: Nathan Gough
>            Assignee: Nathan Gough
>            Priority: Critical
>              Labels: UI, content-type, header, security
>
> -The X-Content-Type header was added in NiFi 1.12.0, which blocks resources 
> in the browser if they do not have the content type added. It appears that 
> some 'advanced UI' resources do not have the content type applied to their 
> resources and are blocked from loading.-
> On further inspection, it appears that explicitly disallowing anonymous 
> access has resulted in some static resources in the NiFi advanced UI's WAR 
> checking whether the anonymous user should be able to access them. The 
> anonymous access was intended to be used on the NiFi API endpoints, and not 
> static resources.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to