Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-5508

Support disabling wantClientAuth when running behind a reverse proxy.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.7.0, 1.7.1
    • None
    • Security
    • Reverse Proxy & trying to use other credential provider when the reverse proxy provides a client certificate itself.

    Description

      As discussed on mailing list.

      JettyServer always calls either setNeedClientAuth(true) or setWantClientAuth(true).

      When used with a reverse proxy that has a client certificate, it is impossible currently to use other credential providers as the X509 authentication takes precedence.

      Adding the ability to disable wantClientAuth via a NiFi property would enable the ability to leverage existing SSO solutions behind a reverse proxy.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. NIFI-5493 Reverse Proxy & OIDC

          • Major - Major loss of function.
          • Open
          links to

          Web Link GitHub Pull Request #2944

          Web Link GitHub Pull Request #2944

          Activity

            People

              Unassigned Unassigned
              ruckc Curtis W Ruck
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - 1h
                  1h
                  Remaining:
                  Time Spent - 20m Remaining Estimate - 40m
                  40m
                  Logged:
                  Time Spent - 20m Remaining Estimate - 40m
                  20m