NIFI-10322 Correct Cookie path when removing Bearer Token#6278
Closed
exceptionfactory wants to merge 1 commit intoapache:mainfrom
Closed
NIFI-10322 Correct Cookie path when removing Bearer Token#6278exceptionfactory wants to merge 1 commit intoapache:mainfrom
exceptionfactory wants to merge 1 commit intoapache:mainfrom
Conversation
- Appended root path to Cookie path attribute when removing Bearer Tokens as part of unauthorized response handling - Updated Saml2AuthenticationSuccessHandler to follow standard Cookie path building strategy
exceptionfactory
force-pushed
the
NIFI-10322
branch
from
bbd7728 to
4405b53
Compare
Contributor
|
Will review |
Contributor
|
Tried setting up a reverse proxy to test this but I had some issues. I did verify that normal bearer token functionality is still working with LDAP for example (checked that when logging out, the cookie removed correctly). I verified the change through your unit test and it looks good to me. +1 will merge. |
p-kimberley
pushed a commit
to p-kimberley/nifi
that referenced
this pull request
Oct 15, 2022
- Appended root path to Cookie path attribute when removing Bearer Tokens as part of unauthorized response handling - Updated Saml2AuthenticationSuccessHandler to follow standard Cookie path building strategy Signed-off-by: Nathan Gough <thenatog@gmail.com> This closes apache#6278.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
NIFI-10322 Corrects path attribute building when sending the
Set-Cookieheader to remove the__Secure-Authorization-BearerCookie as part of HTTP 401 Unauthorized response processing.When access Apache NiFi through a proxy server that provides access through a prefixed path, the HTTP response processing does not append a
/character to thepathattribute to theSet-Cookieas part of the 401 Unauthorized response handling. The initial login process does append the/character to thepathattribute, resulting in a mismatch between the initial addition of the Cookie and the later request to remove the Cookie from browser storage. As a result of failing to remove the Cookie from browser storage, the browser continues to send an expired JSON Web Token, resulting in an HTTP 401 Unauthorized response.Changes include setting the root path in the
RequestUriBuilder, following the same pattern used in application REST resources, and updating unit tests to verify the expected path for both the default root path as well as a forwarded root path.Tracking
Please complete the following tracking steps prior to pull request creation.
Issue Tracking
Pull Request Tracking
NIFI-00000NIFI-00000Pull Request Formatting
mainbranchVerification
Please indicate the verification steps performed prior to pull request creation.
Build
mvn clean install -P contrib-checkLicensing
LICENSEandNOTICEfilesDocumentation