Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-9693

BasicAuthPlugin API should not allow setting blockUnknown=true if no users configured

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security
    • Labels:

      Description

      If you use the API to configure BasicAuth, the order in which you specify your config matters. Currently it is possible to set the blockUnknown property without any users being configured, rendering Solr useless. The same would be the case if the last user is removed when blockUnknown is still set.

      Perhaps fail with code 409 Conflict or something?

      More tricky is the case where BasicAuth is configured with no users, and someone adds an Authorization config requiring a certain user to do anything at all - it would also lock down Solr but since the plugins don't know about each other it is hard to control.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              janhoy Jan H√łydahl
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: