Example 1 with UntrustedProxyException
use of org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException in project nifi-registry by apache.
the class X509IdentityAuthenticationProvider method buildAuthenticatedToken.
@Override
protected AuthenticationSuccessToken buildAuthenticatedToken(AuthenticationRequestToken requestToken, AuthenticationResponse response) {
AuthenticationRequest authenticationRequest = requestToken.getAuthenticationRequest();
String proxiedEntitiesChain = authenticationRequest.getDetails() != null ? (String) authenticationRequest.getDetails() : null;
if (StringUtils.isBlank(proxiedEntitiesChain)) {
return super.buildAuthenticatedToken(requestToken, response);
}
// build the entire proxy chain if applicable - <end-user><proxy1><proxy2>
final List<String> proxyChain = ProxiedEntitiesUtils.tokenizeProxiedEntitiesChain(proxiedEntitiesChain);
proxyChain.add(response.getIdentity());
// add the chain as appropriate to each proxy
NiFiUser proxy = null;
for (final ListIterator<String> chainIter = proxyChain.listIterator(proxyChain.size()); chainIter.hasPrevious(); ) {
String identity = chainIter.previous();
// determine if the user is anonymous
final boolean isAnonymous = StringUtils.isBlank(identity);
if (isAnonymous) {
identity = StandardNiFiUser.ANONYMOUS_IDENTITY;
} else {
identity = mapIdentity(identity);
}
final Set<String> groups = getUserGroups(identity);
// Only set the client address for client making the request because we don't know the clientAddress of the proxied entities
String clientAddress = (proxy == null) ? requestToken.getClientAddress() : null;
proxy = createUser(identity, groups, proxy, clientAddress, isAnonymous);
if (chainIter.hasPrevious()) {
try {
PROXY_AUTHORIZABLE.authorize(authorizer, RequestAction.WRITE, proxy);
} catch (final AccessDeniedException e) {
throw new UntrustedProxyException(String.format("Untrusted proxy [%s].", identity));
}
}
}
return new AuthenticationSuccessToken(new NiFiUserDetails(proxy));
}
Also used :
AccessDeniedException(org.apache.nifi.registry.security.authorization.exception.AccessDeniedException)
StandardNiFiUser(org.apache.nifi.registry.security.authorization.user.StandardNiFiUser)
NiFiUser(org.apache.nifi.registry.security.authorization.user.NiFiUser)
UntrustedProxyException(org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException)
AuthenticationSuccessToken(org.apache.nifi.registry.web.security.authentication.AuthenticationSuccessToken)
AuthenticationRequest(org.apache.nifi.registry.security.authentication.AuthenticationRequest)
NiFiUserDetails(org.apache.nifi.registry.security.authorization.user.NiFiUserDetails)
Example 2 with UntrustedProxyException
use of org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException in project nifi-registry by apache.
the class NiFiRegistrySecurityConfig method http401AuthenticationEntryPoint.
private AuthenticationEntryPoint http401AuthenticationEntryPoint() {
// For secured, this will cause attempt to access any API endpoint (except those explicitly ignored) without providing credentials to return a 401 Unauthorized challenge
return new AuthenticationEntryPoint() {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authenticationException) throws IOException, ServletException {
final int status;
// See X509IdentityAuthenticationProvider.buildAuthenticatedToken(...)
if (authenticationException instanceof UntrustedProxyException) {
// return a 403 response
status = HttpServletResponse.SC_FORBIDDEN;
logger.info("Identity in proxy chain not trusted to act as a proxy: {} Returning 403 response.", authenticationException.toString());
} else {
// return a 401 response
status = HttpServletResponse.SC_UNAUTHORIZED;
logger.info("Client could not be authenticated due to: {} Returning 401 response.", authenticationException.toString());
}
logger.debug("", authenticationException);
if (!response.isCommitted()) {
response.setStatus(status);
response.setContentType("text/plain");
response.getWriter().println(String.format("%s Contact the system administrator.", authenticationException.getLocalizedMessage()));
}
}
};
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UntrustedProxyException(org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException)
AuthenticationException(org.springframework.security.core.AuthenticationException)
AuthenticationEntryPoint(org.springframework.security.web.AuthenticationEntryPoint)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthenticationEntryPoint(org.springframework.security.web.AuthenticationEntryPoint)
Aggregations
UntrustedProxyException (org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException)2
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
HttpServletResponse (javax.servlet.http.HttpServletResponse)1
AuthenticationRequest (org.apache.nifi.registry.security.authentication.AuthenticationRequest)1
AccessDeniedException (org.apache.nifi.registry.security.authorization.exception.AccessDeniedException)1
NiFiUser (org.apache.nifi.registry.security.authorization.user.NiFiUser)1
NiFiUserDetails (org.apache.nifi.registry.security.authorization.user.NiFiUserDetails)1
StandardNiFiUser (org.apache.nifi.registry.security.authorization.user.StandardNiFiUser)1
AuthenticationSuccessToken (org.apache.nifi.registry.web.security.authentication.AuthenticationSuccessToken)1
AuthenticationException (org.springframework.security.core.AuthenticationException)1
AuthenticationEntryPoint (org.springframework.security.web.AuthenticationEntryPoint)1
