You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by "Varun Thacker (JIRA)" <ji...@apache.org> on 2018/01/06 02:43:00 UTC

[jira] [Created] (SOLR-11827) MockAuthorizationPlugin should return 401 if no principal is specified

Varun Thacker created SOLR-11827:
------------------------------------

             Summary: MockAuthorizationPlugin should return 401 if no principal is specified
                 Key: SOLR-11827
                 URL: https://issues.apache.org/jira/browse/SOLR-11827
             Project: Solr
          Issue Type: Bug
      Security Level: Public (Default Security Level. Issues are Public)
            Reporter: Varun Thacker


Let's say today if the leader sends a message to the replica and it takes more than 10s ( the default TTL timeout ) then PKIAuthenticationPlugin will not pass the principal and RuleBasedAuthorizationPlugin will notice this and throw a 401

{code:title=PKIAuthenticationPlugin.java|borderStyle=solid}
    if ((receivedTime - decipher.timestamp) > MAX_VALIDITY) {
        log.error("Invalid key request timestamp: {} , received timestamp: {} , TTL: {}", decipher.timestamp, receivedTime, MAX_VALIDITY);
        filterChain.doFilter(request, response);
        return true;
    }
{code}

{code:title=RuleBasedAuthorizationPlugin.java|borderStyle=solid}
if (principal == null) {
        log.info("request has come without principal. failed permission {} ",permission);
        //this resource needs a principal but the request has come without
        //any credential.
        return MatchStatus.USER_REQUIRED;
      }
{code}

I was trying to verify this with PKIAuthenticationIntegrationTest but I noticed that since this test uses MockAuthorizationPlugin where no principal is treated as a 200 the test won't fail.

So we should enhance MockAuthorizationPlugin to treat no principal as a 401 and add a test in PKIAuthenticationIntegrationTest to verify the behaviour




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org