Github user bbende commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2585#discussion_r177489251
--- Diff:
nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java
---
@@ -213,6 +260,8 @@ private void createHttpServerFromService(final
ProcessContext context) throws Ex
final Double maxBytesPerSecond =
context.getProperty(MAX_DATA_RATE).asDataSize(DataUnit.B);
final StreamThrottler streamThrottler = (maxBytesPerSecond ==
null) ? null : new LeakyBucketStreamThrottler(maxBytesPerSecond.intValue());
final int returnCode =
context.getProperty(RETURN_CODE).asInteger();
+ final String authenticationUsername =
trimToEmpty(context.getProperty(PROP_BASIC_AUTH_USERNAME).evaluateAttributeExpressions().getValue());
+ final String authenticationPassword =
trimToEmpty(context.getProperty(PROP_BASIC_AUTH_PASSWORD).evaluateAttributeExpressions().getValue());
--- End diff --
Should there be a custom validate that ensures that when username is set
that password is also set?
Also, should it be a requirement that an SSLContext is provided when using
basic auth?
If not, then it seems very insecure for the external client to be
submitting the basic auth credentials over plain http.
---
