question Re: When using the InvokeHTTP processor it uses basic authentication but why is the password still shown in clear text? in Archives of Support Questions (Read Only)

When using the InvokeHTTP processor it uses basic authentication but why is the password still shown in clear text?

bbukacek — Thu, 08 Oct 2015 22:54:01 GMT

Re: When using the InvokeHTTP processor it uses basic authentication but why is the password still shown in clear text?

andrewg — Fri, 09 Oct 2015 02:00:46 GMT

I think it's an omission. It was mentioned already before here in a context of digest authentication support https://issues.apache.org/jira/browse/NIFI-980?focusedCommentId=14940725&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14940725

Perhaps it makes sense to create a top-level jira for marking the property sensitive or convert to a subtask?

Re: When using the InvokeHTTP processor it uses basic authentication but why is the password still shown in clear text?

jpercivall — Fri, 09 Oct 2015 02:07:06 GMT

I made another Jira ticket[1] to knock it out real quick. The digest auth ticket will take a bit longer since java's HttpUrlConnection digest Authentication is wacky.

Edit: Patch has been accepted and merged.

[1] https://issues.apache.org/jira/browse/NIFI-1030

Re: When using the InvokeHTTP processor it uses basic authentication but why is the password still shown in clear text?

skumpf — Fri, 09 Oct 2015 02:10:06 GMT

Can you elaborate? Do you see the actual password in the header or the Base64 encoded string? Basic Auth provides no security with regard to user/password. Base64 encoding is used to handle special characters that could invalidate the entire header.

Re: When using the InvokeHTTP processor it uses basic authentication but why is the password still shown in clear text?

andrewg — Fri, 09 Oct 2015 02:19:34 GMT

It was a field in the UI which wasn't flagged as sensitive (NiFi automatically encrypts such fields).

Re: When using the InvokeHTTP processor it uses basic authentication but why is the password still shown in clear text?

jpercivall — Fri, 09 Oct 2015 03:20:49 GMT

To elaborate a bit more, there is an InvokeHttp processor that is able to utilize basic authentication. In order to connect, the processor has a property called "Basic Authentication Password". The user of the UI has to input this when configuring the processor. Since it is a password it is considered a sensitive property and once set it won't be able to be seen in the UI and it is encrypted when in use. Also when exporting in a template the sensitive properties are not transferred.