public String getKnoxCookieName() { return properties.getKnoxCookieName(); }
void updateRequestHeaders(final Map<String, String> headers, final NiFiUser user) { if (user == null) { throw new AccessDeniedException("Unknown user"); } // Add the user as a proxied entity so that when the receiving NiFi receives the request, // it knows that we are acting as a proxy on behalf of the current user. final String proxiedEntitiesChain = ProxiedEntitiesUtils.buildProxiedEntitiesChainString(user); headers.put(ProxiedEntitiesUtils.PROXY_ENTITIES_CHAIN, proxiedEntitiesChain); // remove the access token if present, since the user is already authenticated... authorization // will happen when the request is replicated using the proxy chain above headers.remove(JwtAuthenticationFilter.AUTHORIZATION); // if knox sso cookie name is set, remove any authentication cookie since this user is already authenticated // and will be included in the proxied entities chain above... authorization will happen when the // request is replicated final String knoxCookieName = nifiProperties.getKnoxCookieName(); if (headers.containsKey("Cookie") && StringUtils.isNotBlank(knoxCookieName)) { final String rawCookies = headers.get("Cookie"); final String[] rawCookieParts = rawCookies.split(";"); final Set<String> filteredCookieParts = Stream.of(rawCookieParts).map(String::trim).filter(cookie -> !cookie.startsWith(knoxCookieName + "=")).collect(Collectors.toSet()); // if that was the only cookie, remove it if (filteredCookieParts.isEmpty()) { headers.remove("Cookie"); } else { // otherwise rebuild the cookies without the knox token headers.put("Cookie", StringUtils.join(filteredCookieParts, "; ")); } } // remove the host header headers.remove("Host"); }
@Override public Authentication attemptAuthentication(final HttpServletRequest request) { // only support knox login when running securely if (!request.isSecure()) { return null; } // ensure knox sso support is enabled final NiFiProperties properties = getProperties(); if (!properties.isKnoxSsoEnabled()) { return null; } // get the principal out of the user token final String knoxJwt = getJwtFromCookie(request, properties.getKnoxCookieName()); // if there is no cookie, return null to attempt another authentication if (knoxJwt == null) { return null; } else { // otherwise create the authentication request token return new KnoxAuthenticationRequestToken(knoxJwt, request.getRemoteAddr()); } }
public String getKnoxCookieName() { return properties.getKnoxCookieName(); }
@Override public Authentication attemptAuthentication(final HttpServletRequest request) { // only support knox login when running securely if (!request.isSecure()) { return null; } // ensure knox sso support is enabled final NiFiProperties properties = getProperties(); if (!properties.isKnoxSsoEnabled()) { return null; } // get the principal out of the user token final String knoxJwt = getJwtFromCookie(request, properties.getKnoxCookieName()); // if there is no cookie, return null to attempt another authentication if (knoxJwt == null) { return null; } else { // otherwise create the authentication request token return new KnoxAuthenticationRequestToken(knoxJwt, request.getRemoteAddr()); } }