Jan Høydahl created SOLR-9693:
---------------------------------
Summary: BasicAuthPlugin API should not allow setting
blockUnknown=true if no users configured
Key: SOLR-9693
URL: https://issues.apache.org/jira/browse/SOLR-9693
Project: Solr
Issue Type: Improvement
Security Level: Public (Default Security Level. Issues are Public)
Components: security
Reporter: Jan Høydahl
If you use the API to configure BasicAuth, the order in which you specify your
config matters. Currently it is possible to set the {{blockUnknown}} property
without any users being configured, rendering Solr useless. The same would be
the case if the last user is removed when blockUnknown is still set.
Perhaps fail with code *409 Conflict* or something?
More tricky is the case where BasicAuth is configured with no users, and
someone adds an Authorization config requiring a certain user to do anything at
all - it would also lock down Solr but since the plugins don't know about each
other it is hard to control.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
