SupportKB
How does NiFi use cookies? Does NiFi use HttpSession(s)? How are they secured and encrypted?
- NiFi is a stateless web application. Hence, it does not have the concept of sessions. Therefore, there are no session IDs and no cookies.
- Rather, NiFi uses an encrypted token which is provided to the client's local storage and is used to authenticate incoming requests.
- JWT (encrypted per user with a unique key):
- Serves as authentication token after initial authentication process (LDAP, Kerberos).
- Expires based on configuration in LIP for LDAP / Kerberos form login (proxy ticket acquisition).
- Expires based on nifi.kerberos.spnego.authentication.expiration for Kerberos SPNEGO
- An OTP for content download / custom UI view is provided if user is authenticated and uses a HMAC/SHA-256 based hash of a random value
- Because they are transmitted in plaintext in request URI, no reuse.
- User "logged in" is invalidated due to inactivity when the JWT expires.
- Password strength and rotation policies should be enforced by user management tools (LDAP/AD, etc.). NiFi does not handle user credential management, and integrates with external tools to provide these services.
- All presentation layer code has escape logic for preventing XSS
- Server-side escaping for JSP presentation.
- Client-side escaping for filtering user-provided data.
About:
This article created by Hortonworks Support (Article: 000006049) on 2017-07-24 15:31
OS: Linux
Type: Cluster_Administration
Version: n/a
Support ID: 000006049
