[
https://issues.apache.org/jira/browse/NIFI-7870?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17205871#comment-17205871
]
Nathan Gough commented on NIFI-7870:
------------------------------------
Sounds like this may be more complicated than first anticipated. Upon
investigation, it appears that the advanced UI static assets are not accessible
due to another change in -NIFI-7170- which was intended to disable anonymous
access to API endpoints. This was not intended to block access to static
assets.--
When using LDAP, OIDC and perhaps other authentication mechanisms other than
X509, a 'HTTP 401 Unauthorized' is returned for advanced UI static assets,
which results in the Content-Type being returned as 'text/plain' (an error
message) instead of the expected 'application/javascript' Content-Type. The
server will show:
{code:java}
2020-10-01 19:30:38,159 INFO [NiFi Web Server-19]
o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<anonymous>) GET
https://localhost:8443/nifi-jolt-transform-json-ui-1.12.1/app/transformjson/transformjson.service.js
(source ip: 172.17.0.1)
2020-10-01 19:30:38,159 WARN [NiFi Web Server-19]
o.a.n.w.s.NiFiAuthenticationFilter Rejecting access to web api: Anonymous
authentication has not been configured.{code}
This is because the NiFi UI does not include the JWT for requests to static
assets, but authentication is being checked as anonymous authentication is now
disabled by default. So, a 401 is returned.
The current workaround is to enable anonymous authentication which will allow
access to static assets for advanced UI's (javascript etc):
nifi.security.allow.anonymous.authentication=true.
A fix for this will likely involve a combination of explicitly allowing access
to advanced UI static assets for UI's bundled with NiFi, and for external
custom UI's, anonymous authentication will need to be enabled.
We expect that this will be a temporary change, with the long term goal of
refactoring/redesigning some of these security features in a future release/a
NiFi 2.0 release.
Also related is NIFI-7489
> X-Content-Type missing for advanced UI resources
> ------------------------------------------------
>
> Key: NIFI-7870
> URL: https://issues.apache.org/jira/browse/NIFI-7870
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
> Affects Versions: 1.12.0, 1.12.1
> Reporter: Nathan Gough
> Assignee: Nathan Gough
> Priority: Critical
> Labels: UI, content-type, header, security
>
> The X-Content-Type header was added in NiFi 1.12.0, which blocks resources in
> the browser if they do not have the content type added. It appears that some
> 'advanced UI' resources do not have the content type applied to their
> resources and are blocked from loading.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
