Abdu Sahin created NIFI-6085:
--------------------------------
Summary: Bearer Token isn't killed after a user logs out
Key: NIFI-6085
URL: https://issues.apache.org/jira/browse/NIFI-6085
Project: Apache NiFi
Issue Type: Bug
Components: Security
Affects Versions: 1.5.0
Reporter: Abdu Sahin
I observed that Authorization Bearer token is not invalidated after a logout.
Steps to produce
Step 1: Login to Nifi as usual.
Step 2: Copy the authorisation bearer token after the login from
/nifi-api/access/token response.
Step 3: Make a request a curl request as below and observe http 200 response is
received with status information.
{code:java}
curl -v H "Authorization: Bearer <Token>"
https://nifi-server/nifi-api/flow/status{code}
Step 4: Log out from Nifi Console
Step 5: Repeat Step 3 and observe again http 200 response is received with
status information even though the user has logged out.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
