Hrishikesh Gadre created SOLR-7950:
--------------------------------------
Summary: Invalid auth scheme configuration of Http client when
using Kerberos (SPNEGO)
Key: SOLR-7950
URL: https://issues.apache.org/jira/browse/SOLR-7950
Project: Solr
Issue Type: Bug
Affects Versions: 4.10.3, Trunk
Reporter: Hrishikesh Gadre
When using kerberos authentication mechanism (SPNEGO auth scheme), the Apache
Http client is incorrectly configured with *all* auth schemes (e.g. Basic,
Digest, NTLM, Kerberos, Negotiate etc.) instead of just 'Negotiate'. This issue
was identified after configuring Solr with both Basic + Negotiate
authentication schemes simultaneously.
The root cause for this issue is that, AbstractHttpClient::getAuthSchemes() API
call prepares an AuthSchemeRegistry instance with all possible authentication
schemes. Hence when we register the SPNEGO auth scheme in Solr codebase, it
overrides the previous configuration for SPNEGO - but doesn't remove the other
auth schemes from the client configuration.
https://github.com/apache/lucene-solr/blob/trunk/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Krb5HttpClientConfigurer.java#L80
A trivial fix would be prepare a new AuthSchemeRegistry instance configured
with just SPENGO mechanism and set it in the HttpClient.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
