[
https://issues.apache.org/jira/browse/NIFI-10871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17640815#comment-17640815
]
ASF subversion and git services commented on NIFI-10871:
--------------------------------------------------------
Commit d55fb91b0f2f62b081a8732e66dbbd3ea66961a6 in nifi's branch
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=d55fb91b0f ]
NIFI-10871 Skipped CSRF processing for replicated HTTP requests
- Updated Security Filter Configuration to avoid unnecessary CSRF Request Token
generation for requests replicated between cluster nodes
This closes #6715.
Signed-off-by: Tamas Palfy <[email protected]>
> Intermittent CSRF HTTP 403 in Clustered Deployments
> ----------------------------------------------------
>
> Key: NIFI-10871
> URL: https://issues.apache.org/jira/browse/NIFI-10871
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI, Security
> Affects Versions: 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.18.0
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> NiFi 1.14.0 introduced Cross-Site Request Forgery mitigation as part of
> updates to support JSON Web Token resolution using HttpOnly Session cookies.
> The standard Spring Security
> [CsrfFilter|https://github.com/spring-projects/spring-security/blob/5.7.5/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java]
> includes a Request Matcher property to control whether filtering operations
> should be applied, but the CsrfFilter checks the Request Matcher after
> generating and saving a new token.
> Standalone deployments of NiFi can reuse the CSRF Request Token when the HTTP
> request includes the value in a {{Cookie}} header, but the NiFi HTTP Request
> Replicator removes the CSRF Request Token cookie before sending the request
> to other cluster nodes.
> As a result of these implementation details, NiFi cluster nodes receiving
> replicated HTTP requests generate and return a new CSRF Request Token. The
> NiFi user interface receives the new CSRF Request Token and uses it to set
> the custom {{Request-Token}} HTTP Header on subsequent requests. This is not
> an issue for HTTP GET requests, but requests using methods such as POST, PUT,
> or DELETE can return an HTTP 403 Forbidden response from the Spring Security
> CsrfFilter due to receiving mismatched {{__Secure-Request-Token}} Cookie and
> {{Request-Token}} Header values.
> This issue is intermittent because it depends on the web browser
> simultaneously receiving an HTTP response with a new Secure-Request-Token
> Cookie while preparing to send a new HTTP request with a {{Request-Token}}
> Header that contains the value from the previously received cookie.
> Resolving the problem should include adjusting the behavior of the CsrfFilter
> to avoid setting a new cookie on requests that do not require filtering.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
