Jan Høydahl commented on SOLR-12194:

{quote}I'm a little concerned that this API change makes basic-auth setup (a 
pretty commonly used SolrClient feature) more arcane than it needs to be for 
I agree that it is much simpler to set username and password on the request 
than to setup a builder. But the current implementation has proven to be buggy 
and difficult to keep up to date, since every possible client request someone 
adds or updates in the future needs to remember to include special basic auth 
{quote}I thought the entire point of being able to specify credentials on the 
requests was so you could have a client application that used a single client, 
but specified different credentials as needed based on use case – ex: pass 
through credentials from the upstream user?
Sure, that's the main benefit, but I have a feeling that majority of apps 
authenticate the *app* with Solr, not individual end *users* per request? For 
that case it is easier to use the builder, and they already can.

Question: If a SolrJ application authenticate/login users with basic auth and 
the application then does a Solr search on behalf of that user, there should be 
no reason for Solr to re-authenticate the end user? What you need is a way to 
pass a pre-authenticated userId down to Solr?

Another question is why Basic Auth should be hardcoded in our clients and 
requests when other (more modern and secure) authentication mechanisms are not 
present, other than through plugins? A way to improve this could be for 
{{SolrRequest}} to store a set of generic HTTPHeaders instead of 
basicAuthUser/Pass. We could provide static utility methods to add header for 
BasicAuth as well as other kind of headers. This would be on a per-request and 
not per-client basis.

> Deprecate SolrRequest#setBasicAuthCredentials
> ---------------------------------------------
>                 Key: SOLR-12194
>                 URL: https://issues.apache.org/jira/browse/SOLR-12194
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: SolrJ
>            Reporter: Jan Høydahl
>            Priority: Major
>             Fix For: 7.4
>          Time Spent: 10m
>  Remaining Estimate: 0h
> We should deprecate these methods in {{SolrRequest}}:
> {code:java}
>   public SolrRequest setBasicAuthCredentials(String user, String password)
>   public String getBasicAuthPassword()
>   public String getBasicAuthUser()
> {code}
> The only way forward will be using the ClientBuilderFactory.
> For 7.4 we should deprecate these, and for 8.0 (master) remove them. First we 
> need to migrate some tests etc that uses the old methods.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to