You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by "Hoss Man (JIRA)" <ji...@apache.org> on 2015/12/12 00:43:46 UTC

[jira] [Created] (SOLR-8408) Basic Auth Plugin doesn't require any credentials, doesn't enforce authentication

Hoss Man created SOLR-8408:
------------------------------

             Summary: Basic Auth Plugin doesn't require any credentials, doesn't enforce authentication
                 Key: SOLR-8408
                 URL: https://issues.apache.org/jira/browse/SOLR-8408
             Project: Solr
          Issue Type: Bug
            Reporter: Hoss Man


as noted on solr-user by Kristine Jetzke, and trivially to reproduce...

{noformat}
# interactively launch solr cloud
$ bin/solr -e cloud
#       ... for simplicity of test, pick a single node, 1 shard, 1 replica
# now upload security.json from wiki page...
# https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin
$ server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:9983 -cmd put /security.json '{
"authentication":{
   "class":"solr.BasicAuthPlugin",
   "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
   "class":"solr.RuleBasedAuthorizationPlugin",
   "permissions":[{"name":"security-edit",
      "role":"admin"}],
   "user-role":{"solr":"admin"}
}}'
# now stop & restart the single node we are using...
$ bin/solr stop -all
$ bin/solr restart -c -p 8983 -s example/cloud/node1/solr
# valid credentials are accepted...
$ curl -u 'solr:SolrRocks' 'http://localhost:8983/solr/gettingstarted/select?q=*%3A*&wt=json&indent=true'
{
  "responseHeader":{
    "status":0,
    "QTime":0,
    "params":{
      "q":"*:*",
      "indent":"true",
      "wt":"json"}},
  "response":{"numFound":0,"start":0,"docs":[]
  }}
# invalid credentials are denied...
$ curl -u 'solr:SolrBogus' 'http://localhost:8983/solr/gettingstarted/select?q=*%3A*&wt=json&indent=true' 
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 401 Bad credentials</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/gettingstarted/select. Reason:
<pre>    Bad credentials</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>

</body>
</html>
# requests w/o credentials are accepted even though they should be denied...
$ curl 'http://localhost:8983/solr/gettingstarted/select?q=*%3A*&wt=json&indent=true'{
  "responseHeader":{
    "status":0,
    "QTime":0,
    "params":{
      "q":"*:*",
      "indent":"true",
      "wt":"json"}},
  "response":{"numFound":0,"start":0,"docs":[]
  }}
{noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org