[NIFI-7870] Fix anonymous access control for advanced UI resources - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.12.0, 1.12.1
Fix Version/s: 1.14.0
Component/s: Core UI
Labels:
- UI
- content-type
- header
- security

Description

The X-Content-Type header was added in NiFi 1.12.0, which blocks resources in the browser if they do not have the content type added. It appears that some 'advanced UI' resources do not have the content type applied to their resources and are blocked from loading.

On further inspection, it appears that explicitly disallowing anonymous access has resulted in some static resources in the NiFi advanced UI's WAR checking whether the anonymous user should be able to access them. The anonymous access was intended to be used on the NiFi API endpoints, and not static resources.

Attachments

Issue Links

causes

NIFI-8510 CSRF filter blocking requests that contain unrelated cookies

Resolved

fixes

NIFI-7849 UpdateAttribute Advanced Configuration fails to render with authentication

Resolved

NIFI-8675 Update attribute advanced not working

Resolved

is caused by

NIFI-7170 Restrict anonymous authentication to require explicit override in nifi.properties

Resolved

relates to

NIFI-7849 UpdateAttribute Advanced Configuration fails to render with authentication

Resolved

NIFI-10871 Intermittent CSRF HTTP 403 in Clustered Deployments

Resolved

NIFI-8931 Remove One-time Password Authentication

Resolved

links to

GitHub Pull Request #4659

GitHub Pull Request #4988

(2 relates to, 2 links to)

Activity

People

Assignee:: Nathan Gough

Reporter:: Nathan Gough

Votes:: 4 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 01/Oct/20 14:59

Updated:: 23/Nov/22 21:17

Resolved:: 01/May/21 03:33

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

5.5h