exceptionfactory opened a new pull request #5417: URL: https://github.com/apache/nifi/pull/5417
#### Description of PR NIFI-9241 Refactors the [Cross Site Request Forgery](https://owasp.org/www-community/attacks/csrf) mitigation strategy to use a random token cookie with a custom HTTP request header to implement the [Double Submit Cookie](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie) pattern. The implementation leverages standard Spring Security CSRF filtering with a custom CSRF Token Repository. This approach replaces the current strategy based on comparing the `Authorization` header with the JSON Web Token provided in a cookie header. The new strategy sets a random token in a cookie named `__Secure-Request-Token` and expects browser clients to send the value in a custom HTTP Header named `Request-Token`. This strategy applies to both Token-based and Certificate-based authentication, removing the need for a custom Cross Origin Request Filter configuration implemented for NIFI-5595 in #3024. As a result of removing the CORS Filter, the HTTP `OPTIONS` method is now unnecessary and disallowed. These changes also remove the need for storing the NiFi JSON Web Token in sessionStorage. Instead of storing the token, the browser client stores the session expiration time in seconds, parsed from the `exp` claim of the JSON Web Token. This approach maintains support for indicating login status based on the presence of a token in sessionStorage, while eliminating the need to store the entire token. With Token-based authentication supported through a cookie, multiple browser tabs can be opened for an authentication session. Additional changes include refactoring Request URI construction using a new class named `RequestUriBuilder`. This class supports building a URI based on request information and optional proxy headers. `RequestUriBuilder` provides consistent URI construction and path resolution for both REST Resource classes as well as cookie paths. In order to streamline the review of the contribution we ask you to ensure the following steps have been taken: ### For all changes: - [X] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [X] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [X] Has your PR been rebased against the latest commit within the target branch (typically `main`)? - [X] Is your initial contribution a single, squashed commit? _Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not `squash` or use `--force` when pushing to allow for clean monitoring of changes._ ### For code changes: - [X] Have you ensured that the full suite of tests is executed via `mvn -Pcontrib-check clean install` at the root `nifi` folder? - [X] Have you written or updated unit tests to verify your changes? - [X] Have you verified that the full build is successful on JDK 8? - [X] Have you verified that the full build is successful on JDK 11? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the `LICENSE` file, including the main `LICENSE` file under `nifi-assembly`? - [ ] If applicable, have you updated the `NOTICE` file, including the main `NOTICE` file found under `nifi-assembly`? - [ ] If adding new Properties, have you added `.displayName` in addition to .name (programmatic access) for each of the new properties? ### For documentation related changes: - [ ] Have you ensured that format looks appropriate for the output in which it is rendered? ### Note: Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
