[
https://issues.apache.org/jira/browse/SOLR-12194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16429787#comment-16429787
]
Jan Høydahl commented on SOLR-12194:
------------------------------------
{quote}I'm a little concerned that this API change makes basic-auth setup (a
pretty commonly used SolrClient feature) more arcane than it needs to be for
users.
{quote}
I agree that it is much simpler to set username and password on the request
than to setup a builder. But the current implementation has proven to be buggy
and difficult to keep up to date, since every possible client request someone
adds or updates in the future needs to remember to include special basic auth
handling.
{quote}I thought the entire point of being able to specify credentials on the
requests was so you could have a client application that used a single client,
but specified different credentials as needed based on use case – ex: pass
through credentials from the upstream user?
{quote}
Sure, that's the main benefit, but I have a feeling that majority of apps
authenticate the *app* with Solr, not individual end *users* per request? For
that case it is easier to use the builder, and they already can.
Question: If a SolrJ application authenticate/login users with basic auth and
the application then does a Solr search on behalf of that user, there should be
no reason for Solr to re-authenticate the end user? What you need is a way to
pass a pre-authenticated userId down to Solr?
Another question is why Basic Auth should be hardcoded in our clients and
requests when other (more modern and secure) authentication mechanisms are not
present, other than through plugins? A way to improve this could be for
{{SolrRequest}} to store a set of generic HTTPHeaders instead of
basicAuthUser/Pass. We could provide static utility methods to add header for
BasicAuth as well as other kind of headers. This would be on a per-request and
not per-client basis.
> Deprecate SolrRequest#setBasicAuthCredentials
> ---------------------------------------------
>
> Key: SOLR-12194
> URL: https://issues.apache.org/jira/browse/SOLR-12194
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: SolrJ
> Reporter: Jan Høydahl
> Priority: Major
> Fix For: 7.4
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> We should deprecate these methods in {{SolrRequest}}:
> {code:java}
> public SolrRequest setBasicAuthCredentials(String user, String password)
> public String getBasicAuthPassword()
> public String getBasicAuthUser()
> {code}
> The only way forward will be using the ClientBuilderFactory.
> For 7.4 we should deprecate these, and for 8.0 (master) remove them. First we
> need to migrate some tests etc that uses the old methods.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
