Re: [PR] NIFI-15221 - Major upgrade to Spring 7 [nifi]

Fri, 21 Nov 2025 07:54:03 -0800 


exceptionfactory commented on code in PR #10554:
URL: https://github.com/apache/nifi/pull/10554#discussion_r2550213096


##########
nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/IdentityFilter.java:
##########
@@ -76,13 +80,24 @@ public void doFilter(ServletRequest servletRequest, 
ServletResponse servletRespo
         try {
             AuthenticationRequest authenticationRequest = 
identityProvider.extractCredentials((HttpServletRequest) servletRequest);
             if (authenticationRequest != null) {
-                Authentication authentication = new 
AuthenticationRequestToken(authenticationRequest, identityProvider.getClass(), 
servletRequest.getRemoteAddr());
+                Authentication authentication = new AuthenticationRequestToken(
+                        authenticationRequest,
+                        identityProvider.getClass(),
+                        servletRequest.getRemoteAddr());
                 logger.debug("Adding credentials claim to SecurityContext to 
be authenticated. Credentials extracted by {}: {}",
                         identityProvider.getClass().getSimpleName(),
                         authenticationRequest);
-                
SecurityContextHolder.getContext().setAuthentication(authentication);
-                // This filter's job, which is merely to search for and 
extract an identity claim, is done.
-                // The actual authentication of the identity claim will be 
handled by a corresponding IdentityAuthenticationProvider
+                if (authenticationManager != null) {
+                    try {
+                        Authentication authenticated = 
authenticationManager.authenticate(authentication);
+                        
SecurityContextHolder.getContext().setAuthentication(authenticated);
+                    } catch (AuthenticationException ex) {
+                        logger.debug("Authentication failed in IdentityFilter 
for provider {}: {}", identityProvider.getClass().getSimpleName(), 
ex.getMessage());
+                        throw ex;
+                    }
+                } else {
+                    
SecurityContextHolder.getContext().setAuthentication(authentication);
+                }

Review Comment:
   Thanks for flagging this issue @pvillard31. The Authentication Manager is a 
central component of Spring Security, so it should never be `null` unless there 
is some out-of-order initialization happening.
   
   This deprecated implementation is a long-standing problem for NiFi Registry. 
I will take a closer look, but I think it will probably require a more 
substantial refactor.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to