You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by ja...@apache.org on 2019/01/07 12:15:20 UTC

lucene-solr:branch_8x: SOLR-7896: Avoid browser basicAuth dialogue when blockUnknown=false. Always show Dashboard menu. Clarify refGuide

Repository: lucene-solr
Updated Branches:
  refs/heads/branch_8x 2bd6f246b -> 6db1f4eb7


SOLR-7896: Avoid browser basicAuth dialogue when blockUnknown=false. Always show Dashboard menu. Clarify refGuide

(cherry picked from commit 0b6ea3f1087c2d981052880dbdd54a0eec08bff5)


Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/6db1f4eb
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/6db1f4eb
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/6db1f4eb

Branch: refs/heads/branch_8x
Commit: 6db1f4eb733d91cbac2ca22ee5c4a58e15e88d2c
Parents: 2bd6f24
Author: Jan Høydahl <ja...@apache.org>
Authored: Mon Jan 7 13:02:44 2019 +0100
Committer: Jan Høydahl <ja...@apache.org>
Committed: Mon Jan 7 13:14:53 2019 +0100

----------------------------------------------------------------------
 .../apache/solr/security/BasicAuthPlugin.java   | 33 ++++++++++++--------
 ...uthentication-and-authorization-plugins.adoc |  2 +-
 solr/webapp/web/index.html                      |  4 +--
 3 files changed, 23 insertions(+), 16 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6db1f4eb/solr/core/src/java/org/apache/solr/security/BasicAuthPlugin.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/security/BasicAuthPlugin.java b/solr/core/src/java/org/apache/solr/security/BasicAuthPlugin.java
index 72afb95..f8ee989 100644
--- a/solr/core/src/java/org/apache/solr/security/BasicAuthPlugin.java
+++ b/solr/core/src/java/org/apache/solr/security/BasicAuthPlugin.java
@@ -29,6 +29,7 @@ import java.io.UnsupportedEncodingException;
 import java.lang.invoke.MethodHandles;
 import java.nio.charset.StandardCharsets;
 import java.security.Principal;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@@ -118,18 +119,7 @@ public class BasicAuthPlugin extends AuthenticationPlugin implements ConfigEdita
   }
 
   private void authenticationFailure(HttpServletResponse response, boolean isAjaxRequest, String message) throws IOException {
-    for (Map.Entry<String, String> entry : authenticationProvider.getPromptHeaders().entrySet()) {
-      String value = entry.getValue();
-      // Prevent browser from intercepting basic authentication header when reqeust from Admin UI
-      if (isAjaxRequest && HttpHeaders.WWW_AUTHENTICATE.equalsIgnoreCase(entry.getKey()) && value != null) {
-        if (value.startsWith("Basic ")) {
-          value = "x" + value;
-          log.debug("Prefixing {} header for Basic Auth with 'x' to prevent browser basic auth popup", 
-              HttpHeaders.WWW_AUTHENTICATE);
-        }
-      }
-      response.setHeader(entry.getKey(), value);
-    }
+    getPromptHeaders(isAjaxRequest).forEach(response::setHeader);
     response.sendError(401, message);
   }
 
@@ -195,12 +185,29 @@ public class BasicAuthPlugin extends AuthenticationPlugin implements ConfigEdita
       return false;
     } else {
       numPassThrough.inc();
-      request.setAttribute(AuthenticationPlugin.class.getName(), authenticationProvider.getPromptHeaders());
+      request.setAttribute(AuthenticationPlugin.class.getName(), getPromptHeaders(isAjaxRequest));
       filterChain.doFilter(request, response);
       return true;
     }
   }
 
+  /**
+   * Get the prompt headers, and replace Basic with xBasic if ajax request to avoid
+   * browser intercepting the authentication
+   * @param isAjaxRequest set to true if the request is an ajax request
+   * @return map of headers
+   */
+  private Map<String, String> getPromptHeaders(boolean isAjaxRequest) {
+    Map<String,String> headers = new HashMap(authenticationProvider.getPromptHeaders());
+    if (isAjaxRequest && headers.containsKey(HttpHeaders.WWW_AUTHENTICATE) 
+        && headers.get(HttpHeaders.WWW_AUTHENTICATE).startsWith("Basic ")) {
+      headers.put(HttpHeaders.WWW_AUTHENTICATE, "x" + headers.get(HttpHeaders.WWW_AUTHENTICATE));
+      log.debug("Prefixing {} header for Basic Auth with 'x' to prevent browser basic auth popup",
+          HttpHeaders.WWW_AUTHENTICATE);
+    }
+    return headers;
+  }
+
   @Override
   public void close() throws IOException {
 

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6db1f4eb/solr/solr-ref-guide/src/authentication-and-authorization-plugins.adoc
----------------------------------------------------------------------
diff --git a/solr/solr-ref-guide/src/authentication-and-authorization-plugins.adoc b/solr/solr-ref-guide/src/authentication-and-authorization-plugins.adoc
index 89b027f..3ed3951 100644
--- a/solr/solr-ref-guide/src/authentication-and-authorization-plugins.adoc
+++ b/solr/solr-ref-guide/src/authentication-and-authorization-plugins.adoc
@@ -165,7 +165,7 @@ When authentication is required the Admin UI will presented you with a login dia
 
 * `BasicAuthPlugin`
  
-If your plugin of choice is not supported, you will have to interact with Solr sending HTTP requests instead of through the graphical user interface of the Admin UI. All operations supported by Admin UI can be performed through Solr's RESTful APIs.
+If your plugin of choice is not supported, the Admin UI will still let you perform unrestricted operations, while for restricted operations you will need to interact with Solr by sending HTTP requests instead of through the graphical user interface of the Admin UI. All operations supported by Admin UI can be performed through Solr's RESTful APIs.
 
 == Securing Inter-Node Requests
 

http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/6db1f4eb/solr/webapp/web/index.html
----------------------------------------------------------------------
diff --git a/solr/webapp/web/index.html b/solr/webapp/web/index.html
index 23b9dbd..6987af7 100644
--- a/solr/webapp/web/index.html
+++ b/solr/webapp/web/index.html
@@ -144,9 +144,9 @@ limitations under the License.
           <ul id="menu">
             <li id="login" class="global" ng-class="{active:page=='login'}" ng-show="http401 || currentUser"><p><a href="#/login">{{http401 ? "Login" : "Logout " + currentUser}}</a></p></li>
             
-            <div ng-show="!http401">
-              <li id="index" class="global" ng-class="{active:page=='index'}"><p><a href="#/">Dashboard</a></p></li>
+            <li id="index" class="global" ng-class="{active:page=='index'}"><p><a href="#/">Dashboard</a></p></li>
   
+            <div ng-show="!http401">
               <li id="logging" class="global" ng-class="{active:page=='logging'}"><p><a href="#/~logging">Logging</a></p>
                 <ul ng-show="showingLogging">
                   <li class="level" ng-class="{active:page=='logging-levels'}"><a href="#/~logging/level">Level</a></li>