[jira] [Commented] (SOLR-9702) Authentication & Authorization based on Jetty security

[Anshum Gupta (JIRA)]

    [ 
https://issues.apache.org/jira/browse/SOLR-9702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15619655#comment-15619655
 ] 

Anshum Gupta commented on SOLR-9702:
------------------------------------

[~janhoy] I agree with you on that and think we should be able to close this 
out as Won't Fix. 

Jetty being an implementation detail basically translates to - we should be 
able to swap it out (when needed) without worrying about any back-compat w.r.t. 
users hacking or relying on it directly.

Also, any further discussions on 'how to do X' should be a part of the mailing 
list instead of a JIRA and we should create an issue for a concrete use case 
that needs to be handled by Solr.

> Authentication & Authorization based on Jetty security
> ------------------------------------------------------
>
>                 Key: SOLR-9702
>                 URL: https://issues.apache.org/jira/browse/SOLR-9702
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>    Affects Versions: 6.2.1
>            Reporter: Thomas Quinot
>
> (following up on comments initially posted on SOLR-7275).
> Back in Solr 4 days, user authentication could be handled by Jetty, and some 
> level of authorization could be implemented using request regexp rules. This 
> was explicitly documented in the SolrSecurity page:
> http://wiki.apache.org/solr/SolrSecurity?action=recall&rev=35#Jetty_realm_example
> In particular, authentication could thus be performed against a variety of 
> services implemented in Jetty, such as HashLoginService (mentioned explicitly 
> in the above documentation, tested in production, does work) or possibly 
> JAASLoginService, which in turn would open up the possibility to use a whole 
> range of auth services (in particular LDAP servers).
> I see that the usage of Jetty is now "an implementation detail". Does this 
> mean that the feature listed above is not supported anymore? (This is quite 
> unfortunate IMO, as even just the HashLoginService would be useful to 
> authenticate users against a database of UNIX crypt(3) passwords)
> The new login services that are apparently being reimplemented in Solr itself 
> seem to be much less flexible and limited.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org