thenatog commented on pull request #4659: URL: https://github.com/apache/nifi/pull/4659#issuecomment-729875887
I think the plan here was that, for the bundled advanced UIs, they could exist in this list and be granted anonymous access. For custom advanced UIs that the community may develop/use, they will need to be accessed anonymously by enabling the "nifi.security.allow.anonymous.authentication" property. This reduces the list maintenance requirement a little bit, but does not eliminate it. It's possible that the list could be cut down by my manually looking at the resources that need to be allowed, in the UI, to check what is not accessible and enabling only those. From memory it was at least a few CSS files that caused the bigger issues. As far as wildcarding some of this, it was recommended to be explicit on the file name and not to use patterns. Maybe we can get @alopresto to chime in and see what he thinks of my approach to this PR. Having said that, I do believe that moving towards using a cookie for storing the JWT in the browser may be a reasonable option. I've been researching the benefits vs risks, the details of which I'm still collating. It would eliminate a few parts of code that we've so far had to implement as a side effect of using an explicit authorization header. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
