org.apache.nifi.web.security.x509

Class X509AuthenticationFilter

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter

org.apache.nifi.web.security.x509.X509AuthenticationFilter

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.web.context.ServletContextAware

public class X509AuthenticationFilter
extends org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter

Custom X509 filter that will inspect the HTTP headers for a proxied user before extracting the user details from the client certificate.

Field Summary

Fields

Modifier and Type	Field and Description
private X509CertificateExtractor	certificateExtractor
private OcspCertificateValidator	certificateValidator
private org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor	principalExtractor
private NiFiProperties	properties
static String	PROXY_ENTITIES_ACCEPTED
static String	PROXY_ENTITIES_CHAIN
static String	PROXY_ENTITIES_DETAILS
private UserService	userService

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor and Description
X509AuthenticationFilter()

Method Summary

Methods

Modifier and Type	Method and Description
void	doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) Override doFilter in order to properly handle when users could not be authenticated.
protected Object	getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest request)
protected Object	getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest request)
private void	handleMissingCertificate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Handles requests that failed because they were bad input.
private void	handleUnsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException ae) Handles requests that were unable to be authorized.
private void	handleUserServiceError(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, int responseCode, String message) Handles requests that failed because of a user service error.
private boolean	isNewAccountRequest(javax.servlet.http.HttpServletRequest request) Determines if the specified request is attempting to register a new user account.
void	setCertificateValidator(OcspCertificateValidator certificateValidator)
void	setProperties(NiFiProperties properties)
void	setUserService(UserService userService)
protected void	successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.Authentication authResult) Sets the response headers for successful proxied requests.
protected void	unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException failed) Sets the response headers for unsuccessful proxied requests.

Methods inherited from class org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter

afterPropertiesSet, getAuthenticationDetailsSource, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationManager, setCheckForPrincipalChanges, setContinueFilterChainOnUnsuccessfulAuthentication, setInvalidateSessionOnPrincipalChange

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

PROXY_ENTITIES_CHAIN

public static final String PROXY_ENTITIES_CHAIN

See Also:

Constant Field Values

PROXY_ENTITIES_ACCEPTED

public static final String PROXY_ENTITIES_ACCEPTED

See Also:

Constant Field Values

PROXY_ENTITIES_DETAILS

public static final String PROXY_ENTITIES_DETAILS

See Also:

Constant Field Values

certificateExtractor

private final X509CertificateExtractor certificateExtractor

principalExtractor

private final org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor principalExtractor

certificateValidator

private OcspCertificateValidator certificateValidator

properties

private NiFiProperties properties

userService

private UserService userService

Constructor Detail

X509AuthenticationFilter

public X509AuthenticationFilter()

Method Detail

doFilter

public void doFilter(javax.servlet.ServletRequest request,
            javax.servlet.ServletResponse response,
            javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException

Override doFilter in order to properly handle when users could not be authenticated.

Specified by:

doFilter in interface javax.servlet.Filter

Overrides:

doFilter in class org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter

Parameters:

request -

response -

chain -

Throws:

IOException

javax.servlet.ServletException

getPreAuthenticatedPrincipal

protected Object getPreAuthenticatedPrincipal(javax.servlet.http.HttpServletRequest request)

Specified by:

getPreAuthenticatedPrincipal in class org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter

getPreAuthenticatedCredentials

protected Object getPreAuthenticatedCredentials(javax.servlet.http.HttpServletRequest request)

Specified by:

getPreAuthenticatedCredentials in class org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter

successfulAuthentication

protected void successfulAuthentication(javax.servlet.http.HttpServletRequest request,
                            javax.servlet.http.HttpServletResponse response,
                            org.springframework.security.core.Authentication authResult)

Sets the response headers for successful proxied requests.

Overrides:

successfulAuthentication in class org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter

Parameters:

request -

response -

authResult -

unsuccessfulAuthentication

protected void unsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
                              javax.servlet.http.HttpServletResponse response,
                              org.springframework.security.core.AuthenticationException failed)

Sets the response headers for unsuccessful proxied requests.

Overrides:

unsuccessfulAuthentication in class org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter

Parameters:

request -

response -

failed -

isNewAccountRequest

private boolean isNewAccountRequest(javax.servlet.http.HttpServletRequest request)

Determines if the specified request is attempting to register a new user account.

Parameters:

request -

Returns:

handleUnsuccessfulAuthentication

private void handleUnsuccessfulAuthentication(javax.servlet.http.HttpServletRequest request,
                                    javax.servlet.http.HttpServletResponse response,
                                    org.springframework.security.core.AuthenticationException ae)
                                       throws IOException

Handles requests that were unable to be authorized.

Parameters:

request -

response -

ae -

Throws:

IOException

handleUserServiceError

private void handleUserServiceError(javax.servlet.http.HttpServletRequest request,
                          javax.servlet.http.HttpServletResponse response,
                          int responseCode,
                          String message)
                             throws IOException

Handles requests that failed because of a user service error.

Parameters:

request -

response -

e -

Throws:

IOException

handleMissingCertificate

private void handleMissingCertificate(javax.servlet.http.HttpServletRequest request,
                            javax.servlet.http.HttpServletResponse response)
                               throws IOException

Handles requests that failed because they were bad input.

Parameters:

request -

response -

Throws:

IOException

setProperties

public void setProperties(NiFiProperties properties)

setUserService

public void setUserService(UserService userService)

setCertificateValidator

public void setCertificateValidator(OcspCertificateValidator certificateValidator)