Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-10871

Intermittent CSRF HTTP 403 in Clustered Deployments



    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.18.0
    • 1.20.0, 1.19.1
    • Core UI, Security
    • None


      NiFi 1.14.0 introduced Cross-Site Request Forgery mitigation as part of updates to support JSON Web Token resolution using HttpOnly Session cookies. The standard Spring Security CsrfFilter includes a Request Matcher property to control whether filtering operations should be applied, but the CsrfFilter checks the Request Matcher after generating and saving a new token.

      Standalone deployments of NiFi can reuse the CSRF Request Token when the HTTP request includes the value in a Cookie header, but the NiFi HTTP Request Replicator removes the CSRF Request Token cookie before sending the request to other cluster nodes.

      As a result of these implementation details, NiFi cluster nodes receiving replicated HTTP requests generate and return a new CSRF Request Token. The NiFi user interface receives the new CSRF Request Token and uses it to set the custom Request-Token HTTP Header on subsequent requests. This is not an issue for HTTP GET requests, but requests using methods such as POST, PUT, or DELETE can return an HTTP 403 Forbidden response from the Spring Security CsrfFilter due to receiving mismatched __Secure-Request-Token Cookie and Request-Token Header values.

      This issue is intermittent because it depends on the web browser simultaneously receiving an HTTP response with a new Secure-Request-Token Cookie while preparing to send a new HTTP request with a Request-Token Header that contains the value from the previously received cookie.

      Resolving the problem should include adjusting the behavior of the CsrfFilter to avoid setting a new cookie on requests that do not require filtering.


        Issue Links



              exceptionfactory David Handermann
              exceptionfactory David Handermann
              0 Vote for this issue
              3 Start watching this issue



                Time Tracking

                  Original Estimate - Not Specified
                  Not Specified
                  Remaining Estimate - 0h
                  Time Spent - 1h 40m
                  1h 40m