[NIFI-9241] Review CORS Security Configuration - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.8.0, 1.14.0
Fix Version/s: 1.15.0
Component/s: Core UI, Security
Labels:
None

Description

The NiFi Web Security Configuration includes a custom CORS Configuration Source that disallows HTTP POST requests for Template Uploads. The works as expected with direct access to the NiFi UI, but causes issues when attempting to upload a template to NiFi through a reverse proxy.

When a web browser sends a template upload request that includes an unexpected Origin header, the Spring CORS Filter returns HTTP 403 Forbidden with a response body containing the message Invalid CORS Request. NIFI-6080 describes a workaround that involves setting a different Origin header. The current approach as implemented in ~~NIFI-5595~~ should be evaluated for potential improvements to avoid this behavior when running NiFi with a reverse proxy.

Attachments

Issue Links

causes

NIFI-9339 JoltTransformJson custom UI not working

Resolved

is related to

NIFI-6080 Create documentation around deploying NiFi behind a proxy

Open

NIFI-5595 Add filter to template endpoint

Resolved

relates to

NIFI-10855 Document Cross-Site Request Forgery Protection

Resolved

links to

GitHub Pull Request #5417

Activity

People

Assignee:: David Handermann

Reporter:: David Handermann

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 22/Sep/21 18:04

Updated:: 21/Nov/22 23:23

Resolved:: 01/Oct/21 00:50

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

40m