You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Noble Paul (JIRA)" <ji...@apache.org> on 2015/12/12 01:48:46 UTC
[jira] [Commented] (SOLR-8408) Basic Auth Plugin doesn't require
any credentials, doesn't enforce authentication
[ https://issues.apache.org/jira/browse/SOLR-8408?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15053866#comment-15053866 ]
Noble Paul commented on SOLR-8408:
----------------------------------
It works as designed.
In this case {{/select}} is not protected. So an unauthenticated request must be able to access {{/select}} path. authentication layer has no idea whether it is a protected resource or not. So, when no credentials headers are sent it sets the user principal as null and lets the request go through. Whereas in the case of wrong credentials, the choices are 1) fail the request or 2) forward the request as if the principal is null . #2 would be bad user experience because the Authorization layer would say principal is null (unauthenicated) and the user would not know that the credentials were wrong.
> Basic Auth Plugin doesn't require any credentials, doesn't enforce authentication
> ---------------------------------------------------------------------------------
>
> Key: SOLR-8408
> URL: https://issues.apache.org/jira/browse/SOLR-8408
> Project: Solr
> Issue Type: Bug
> Reporter: Hoss Man
> Attachments: SOLR-8408.patch
>
>
> as noted on solr-user by Kristine Jetzke, and trivially to reproduce...
> {noformat}
> # interactively launch solr cloud
> $ bin/solr -e cloud
> # ... for simplicity of test, pick a single node, 1 shard, 1 replica
> # now upload security.json from wiki page...
> # https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin
> $ server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:9983 -cmd put /security.json '{
> "authentication":{
> "class":"solr.BasicAuthPlugin",
> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> },
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[{"name":"security-edit",
> "role":"admin"}],
> "user-role":{"solr":"admin"}
> }}'
> # now stop & restart the single node we are using...
> $ bin/solr stop -all
> $ bin/solr restart -c -p 8983 -s example/cloud/node1/solr
> # valid credentials are accepted...
> $ curl -u 'solr:SolrRocks' 'http://localhost:8983/solr/gettingstarted/select?q=*%3A*&wt=json&indent=true'
> {
> "responseHeader":{
> "status":0,
> "QTime":0,
> "params":{
> "q":"*:*",
> "indent":"true",
> "wt":"json"}},
> "response":{"numFound":0,"start":0,"docs":[]
> }}
> # invalid credentials are denied...
> $ curl -u 'solr:SolrBogus' 'http://localhost:8983/solr/gettingstarted/select?q=*%3A*&wt=json&indent=true'
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
> <title>Error 401 Bad credentials</title>
> </head>
> <body><h2>HTTP ERROR 401</h2>
> <p>Problem accessing /solr/gettingstarted/select. Reason:
> <pre> Bad credentials</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>
> </body>
> </html>
> # requests w/o credentials are accepted even though they should be denied...
> $ curl 'http://localhost:8983/solr/gettingstarted/select?q=*%3A*&wt=json&indent=true'{
> "responseHeader":{
> "status":0,
> "QTime":0,
> "params":{
> "q":"*:*",
> "indent":"true",
> "wt":"json"}},
> "response":{"numFound":0,"start":0,"docs":[]
> }}
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org