[jira] [Commented] (NIFI-12487) Add CSRF Filter to Registry Configuration

Mon, 18 Dec 2023 12:09:06 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-12487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17798346#comment-17798346
 ] 

ASF subversion and git services commented on NIFI-12487:
--------------------------------------------------------

Commit 27941936089ce6ef85ac1ba3a1bb0da536965e53 in nifi's branch 
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=2794193608 ]

NIFI-12487 Added CSRF Protection to Registry (#8136)

- Added CSRF Token Repository based on existing implementation
- Updated Angular Request Interceptor to read cookie and send Request-Token 
Header

> Add CSRF Filter to Registry Configuration
> -----------------------------------------
>
>                 Key: NIFI-12487
>                 URL: https://issues.apache.org/jira/browse/NIFI-12487
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: NiFi Registry, Security
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Major
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> NiFi Registry supports several authentication strategies including username 
> and password, X.509 certificates, and OpenID Connect. Strategies that involve 
> exchanging temporary credentials produce an Application Bearer Token, which 
> the Registry interface stores and sends on subsequent requests for the 
> duration of the session. The Registry interface passes the Bearer Token using 
> the standard HTTP Authorization header, which requires custom JavaScript 
> request processing. This approach mitigates general concerns related to 
> Cross-Site Request Forgery as external requests from a web browser cannot 
> send the Authorization header.
> Despite general protection based on the current implementation, adding 
> standard Cross-Site Request Forgery checking using Spring Security would 
> provide additional defenses. Enabling CSRF protection also aligns with 
> existing capabilities in NiFi, and would provide a basis for future align of 
> Bearer Token handling strategies.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to