[jira] [Updated] (NIFI-13558) HTTP Security Filtering does not ignore unauthenticated request paths

Thu, 18 Jul 2024 09:05:10 -0700 


     [ 
https://issues.apache.org/jira/browse/NIFI-13558?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

David Handermann updated NIFI-13558:
------------------------------------
    Affects Version/s: 2.0.0-M4
                       1.27.0
               Status: Patch Available  (was: Open)

> HTTP Security Filtering does not ignore unauthenticated request paths
> ---------------------------------------------------------------------
>
>                 Key: NIFI-13558
>                 URL: https://issues.apache.org/jira/browse/NIFI-13558
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 2.0.0-M4, 1.27.0
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Minor
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The Spring Framework WebSecurityConfiguration class defines to the set of 
> Spring Security filters to invoke when processing HTTP requests. As part of 
> migration work to Spring Framework 6, the WebSecurityConfiguration 
> transitioned from using deprecated methods to the current approach of 
> authorizing all HTTP requests and permitting a list of paths that do not 
> require authentication. This approach works for initial request processing, 
> but when a client presents credentials that are no longer valid, such as an 
> expried Application Bearer Token, the configured Bearer Token Authentication 
> Filter rejects the request with an HTTP 401 Unauthorized response, even for 
> paths that do not require authentication.
> This behavior should be adjusted so that the Spring Security filter does not 
> attempt to process credentials for unauthenticated request paths. Configuring 
> a Spring Security WebSecurityCustomizer is one option, but calling the 
> ignoring method results in logged warnings. Instead, the securityMatchers 
> method on the HTTP Security configuration can be used to exclude specific 
> request paths from filter evaluation. The existing set of unfiltered request 
> paths, required for user interface configuration, should be switched to this 
> approach for improved behavior when the client presents an invalid token. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to