[
https://issues.apache.org/jira/browse/NIFI-6085?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16835993#comment-16835993
]
ASF subversion and git services commented on NIFI-6085:
-------------------------------------------------------
Commit cf6f5172503ce438c6c22c334c9367f774db7b24 in nifi's branch
refs/heads/master from thenatog
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=cf6f517 ]
NIFI-6085 - Added /access/logout endpoint to allow JWT auth tokens to be
removed correctly. Added some tests. Found an error in the KeyDAO which did not
allow key deletion.
NIFI-6085 - Updated logOut method to use NiFiUserUtils and updated tests.
NIFI-6085 - Added some more integration tests.
NIFI-6085 Suppressed stacktrace when token is used after being invalidated.
This closes #3362.
Signed-off-by: Andy LoPresto <[email protected]>
> Bearer Token isn't killed after user logs out
> ---------------------------------------------
>
> Key: NIFI-6085
> URL: https://issues.apache.org/jira/browse/NIFI-6085
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.5.0
> Reporter: Abdu Sahin
> Assignee: Nathan Gough
> Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> I observed that Authorization Bearer token is not invalidated after a logout.
> Steps to produce
> Step 1: Login to Nifi as usual.
> Step 2: Copy the authorisation bearer token after the login from
> /nifi-api/access/token response.
> Step 3: Make a request a curl request as below and observe http 200 response
> is received with status information.
> {code:java}
> curl -v -H "Authorization: Bearer <Token>"
> https://nifi-server/nifi-api/flow/status{code}
> Step 4: Log out from Nifi Console
> Step 5: Repeat Step 3 and observe again http 200 response is received with
> status information even though the user has logged out.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
