[jira] [Commented] (NIFI-13558) HTTP Security Filtering does not ignore unauthenticated request paths

Thu, 18 Jul 2024 10:27:04 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-13558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17867055#comment-17867055
 ] 

ASF subversion and git services commented on NIFI-13558:
--------------------------------------------------------

Commit e35cbbba81522e2217ad2c9491ba4e5e29b3bcf1 in nifi's branch 
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=e35cbbba81 ]

NIFI-13558 Configured Web Security to ignore unauthenticated requests (#9090)

This closes #9090 

> HTTP Security Filtering does not ignore unauthenticated request paths
> ---------------------------------------------------------------------
>
>                 Key: NIFI-13558
>                 URL: https://issues.apache.org/jira/browse/NIFI-13558
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 2.0.0-M4
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Minor
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> The Spring Framework WebSecurityConfiguration class defines to the set of 
> Spring Security filters to invoke when processing HTTP requests. As part of 
> migration work to Spring Framework 6, the WebSecurityConfiguration 
> transitioned from using deprecated methods to the current approach of 
> authorizing all HTTP requests and permitting a list of paths that do not 
> require authentication. This approach works for initial request processing, 
> but when a client presents credentials that are no longer valid, such as an 
> expried Application Bearer Token, the configured Bearer Token Authentication 
> Filter rejects the request with an HTTP 401 Unauthorized response, even for 
> paths that do not require authentication.
> This behavior should be adjusted so that the Spring Security filter does not 
> attempt to process credentials for unauthenticated request paths. Configuring 
> a Spring Security WebSecurityCustomizer is one option, but calling the 
> ignoring method results in logged warnings. Instead, the securityMatchers 
> method on the HTTP Security configuration can be used to exclude specific 
> request paths from filter evaluation. The existing set of unfiltered request 
> paths, required for user interface configuration, should be switched to this 
> approach for improved behavior when the client presents an invalid token. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to