[jira] [Updated] (NIFI-6085) Bearer Token isn't killed after user logs out

Wed, 27 Feb 2019 06:22:45 -0800 


     [ 
https://issues.apache.org/jira/browse/NIFI-6085?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abdu Sahin updated NIFI-6085:
-----------------------------
    Description: 
I observed that Authorization Bearer token is not invalidated after a logout.

Steps to produce 

Step 1: Login to Nifi as usual.

Step 2: Copy the authorisation bearer token after the login from 
/nifi-api/access/token response.

Step 3: Make a request a curl request as below and observe http 200 response is 
received with status information.
{code:java}
curl -v -H "Authorization: Bearer <Token>" 
https://nifi-server/nifi-api/flow/status{code}
Step 4: Log out from Nifi Console 

Step 5: Repeat Step 3 and observe again http 200 response is received with 
status information even though the user has logged out.

 

  was:
I observed that Authorization Bearer token is not invalidated after a logout.

Steps to produce 

Step 1: Login to Nifi as usual.

Step 2: Copy the authorisation bearer token after the login from 
/nifi-api/access/token response.

Step 3: Make a request a curl request as below and observe http 200 response is 
received with status information.
{code:java}
curl -v H "Authorization: Bearer <Token>" 
https://nifi-server/nifi-api/flow/status{code}
Step 4: Log out from Nifi Console 

Step 5: Repeat Step 3 and observe again http 200 response is received with 
status information even though the user has logged out.

 


> Bearer Token isn't killed after user logs out
> ---------------------------------------------
>
>                 Key: NIFI-6085
>                 URL: https://issues.apache.org/jira/browse/NIFI-6085
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.5.0
>            Reporter: Abdu Sahin
>            Priority: Major
>
> I observed that Authorization Bearer token is not invalidated after a logout.
> Steps to produce 
> Step 1: Login to Nifi as usual.
> Step 2: Copy the authorisation bearer token after the login from 
> /nifi-api/access/token response.
> Step 3: Make a request a curl request as below and observe http 200 response 
> is received with status information.
> {code:java}
> curl -v -H "Authorization: Bearer <Token>" 
> https://nifi-server/nifi-api/flow/status{code}
> Step 4: Log out from Nifi Console 
> Step 5: Repeat Step 3 and observe again http 200 response is received with 
> status information even though the user has logged out.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to