thenatog commented on a change in pull request #4988:
URL: https://github.com/apache/nifi/pull/4988#discussion_r618448529
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java
##########
@@ -43,33 +51,63 @@ public Authentication attemptAuthentication(final
HttpServletRequest request) {
return null;
}
- // TODO: Refactor request header extraction logic to shared utility as
it is duplicated in AccessResource
+ // Check for JWT in cookie and header
+ final String cookieToken = getTokenFromCookie(request);
+ final String headerToken = getTokenFromHeader(request);
+ if (cookieToken != null && !cookieToken.isEmpty()) {
+ if
(!UNAUTHENTICATED_METHODS.contains(request.getMethod().toUpperCase())) {
+ // To protect against CSRF when using a cookie, if the request
method requires authentication the request must have a matching Authorization
header JWT
+ if (headerToken.equals(cookieToken)) {
+ return new JwtAuthenticationRequestToken(headerToken,
request.getRemoteAddr());
+ } else {
+ throw new InvalidAuthenticationException("Authorization
HTTP header and authentication cookie did not match.");
+ }
+ } else {
+ return new JwtAuthenticationRequestToken(cookieToken,
request.getRemoteAddr());
+ }
+ } else if (headerToken != null && !headerToken.isEmpty()) {
Review comment:
I have refactored this by adding the NiFiCsrfTokenRepository which will
check the Cookie header for a 'CSRF' token that should match the JWT
Authorization header. This simplifies the JwtAuthenticationFilter and pushed
the idempotent methods checks to the Spring CsrfFilter code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
