Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
NiFi Registry supports several authentication strategies including username and password, X.509 certificates, and OpenID Connect. Strategies that involve exchanging temporary credentials produce an Application Bearer Token, which the Registry interface stores and sends on subsequent requests for the duration of the session. The Registry interface passes the Bearer Token using the standard HTTP Authorization header, which requires custom JavaScript request processing. This approach mitigates general concerns related to Cross-Site Request Forgery as external requests from a web browser cannot send the Authorization header.
Despite general protection based on the current implementation, adding standard Cross-Site Request Forgery checking using Spring Security would provide additional defenses. Enabling CSRF protection also aligns with existing capabilities in NiFi, and would provide a basis for future align of Bearer Token handling strategies.
Attachments
Issue Links
- links to
