thenatog commented on a change in pull request #4988: URL: https://github.com/apache/nifi/pull/4988#discussion_r618448529
########## File path: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/jwt/JwtAuthenticationFilter.java ########## @@ -43,33 +51,63 @@ public Authentication attemptAuthentication(final HttpServletRequest request) { return null; } - // TODO: Refactor request header extraction logic to shared utility as it is duplicated in AccessResource + // Check for JWT in cookie and header + final String cookieToken = getTokenFromCookie(request); + final String headerToken = getTokenFromHeader(request); + if (cookieToken != null && !cookieToken.isEmpty()) { + if (!UNAUTHENTICATED_METHODS.contains(request.getMethod().toUpperCase())) { + // To protect against CSRF when using a cookie, if the request method requires authentication the request must have a matching Authorization header JWT + if (headerToken.equals(cookieToken)) { + return new JwtAuthenticationRequestToken(headerToken, request.getRemoteAddr()); + } else { + throw new InvalidAuthenticationException("Authorization HTTP header and authentication cookie did not match."); + } + } else { + return new JwtAuthenticationRequestToken(cookieToken, request.getRemoteAddr()); + } + } else if (headerToken != null && !headerToken.isEmpty()) { Review comment: I have refactored this by adding the NiFiCsrfTokenRepository which will check the Cookie header for a 'CSRF' token that should match the JWT Authorization header. This simplifies the JwtAuthenticationFilter and pushed the idempotent methods checks to the Spring CsrfFilter code. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org