David Handermann created NIFI-13558:
---------------------------------------
Summary: HTTP Security Filtering does not ignore unauthenticated
request paths
Key: NIFI-13558
URL: https://issues.apache.org/jira/browse/NIFI-13558
Project: Apache NiFi
Issue Type: Bug
Components: Core Framework
Reporter: David Handermann
Assignee: David Handermann
The Spring Framework WebSecurityConfiguration class defines to the set of
Spring Security filters to invoke when processing HTTP requests. As part of
migration work to Spring Framework 6, the WebSecurityConfiguration transitioned
from using deprecated methods to the current approach of authorizing all HTTP
requests and permitting a list of paths that do not require authentication.
This approach works for initial request processing, but when a client presents
credentials that are no longer valid, such as an expried Application Bearer
Token, the configured Bearer Token Authentication Filter rejects the request
with an HTTP 401 Unauthorized response, even for paths that do not require
authentication.
This behavior should be adjusted so that the Spring Security filter does not
attempt to process credentials for unauthenticated request paths. Configuring a
Spring Security WebSecurityCustomizer is one option, but calling the ignoring
method results in logged warnings. Instead, the securityMatchers method on the
HTTP Security configuration can be used to exclude specific request paths from
filter evaluation. The existing set of unfiltered request paths, required for
user interface configuration, should be switched to this approach for improved
behavior when the client presents an invalid token.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
