You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2019/10/14 07:27:00 UTC
[jira] [Comment Edited] (SOLR-13835) HttpSolrCall produces
incorrect extra AuditEvent on AuthorizationResponse.PROMPT
[ https://issues.apache.org/jira/browse/SOLR-13835?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16950454#comment-16950454 ]
Jan Høydahl edited comment on SOLR-13835 at 10/14/19 7:27 AM:
--------------------------------------------------------------
{quote}Jan: Maybe i'm missing something, but IIUC in the context of how simple those blocks were when the code was initially added, it was reasonable for the first block to fall through to the second
{quote}
It is not reasonable to execute logc in both those blocks, although before audit code it only had the consequence of double {{log.debug("USER_REQUIRED}} logging and wrong message text "Unauthorized request" in the response.
was (Author: janhoy):
{quote}Jan: Maybe i'm missing something, but IIUC in the context of how simple those blocks were when the code was initially added, it was reasonable for the first block to fall through to the second
{quote}
The logic was flawed originally since the code would return a 403 *instead* of a 401 due to the fall-through.
> HttpSolrCall produces incorrect extra AuditEvent on AuthorizationResponse.PROMPT
> --------------------------------------------------------------------------------
>
> Key: SOLR-13835
> URL: https://issues.apache.org/jira/browse/SOLR-13835
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication, Authorization
> Reporter: Chris M. Hostetter
> Assignee: Jan Høydahl
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> spinning this out of SOLR-13741...
> {quote}
> Wrt the REJECTED + UNAUTHORIZED events I see the same as you, and I believe there is a code bug, not a test bug. In HttpSolrCall#471 in the {{authorize()}} call, if authResponse == PROMPT, it will actually match both blocks and emit two audit events: [https://github.com/apache/lucene-solr/blob/26ede632e6259eb9d16861a3c0f782c9c8999762/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java#L475:L493]
> {code:java}
> if (authResponse.statusCode == AuthorizationResponse.PROMPT.statusCode) {...}
> if (!(authResponse.statusCode == HttpStatus.SC_ACCEPTED) && !(authResponse.statusCode == HttpStatus.SC_OK)) {...}
> {code}
> When code==401, it is also true that code!=200. Intuitively there should be both a sendErrora and return RETURN before line #484 in the first if block?
> {quote}
> This causes any and all {{REJECTED}} AuditEvent messages to be accompanied by a coresponding {{UNAUTHORIZED}} AuditEvent.
> It's not yet clear if, from the perspective of the external client, there are any other bugs in behavior (TBD)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org