[ https://issues.apache.org/jira/browse/SOLR-12194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16429787#comment-16429787 ]
Jan Høydahl commented on SOLR-12194: ------------------------------------ {quote}I'm a little concerned that this API change makes basic-auth setup (a pretty commonly used SolrClient feature) more arcane than it needs to be for users. {quote} I agree that it is much simpler to set username and password on the request than to setup a builder. But the current implementation has proven to be buggy and difficult to keep up to date, since every possible client request someone adds or updates in the future needs to remember to include special basic auth handling. {quote}I thought the entire point of being able to specify credentials on the requests was so you could have a client application that used a single client, but specified different credentials as needed based on use case – ex: pass through credentials from the upstream user? {quote} Sure, that's the main benefit, but I have a feeling that majority of apps authenticate the *app* with Solr, not individual end *users* per request? For that case it is easier to use the builder, and they already can. Question: If a SolrJ application authenticate/login users with basic auth and the application then does a Solr search on behalf of that user, there should be no reason for Solr to re-authenticate the end user? What you need is a way to pass a pre-authenticated userId down to Solr? Another question is why Basic Auth should be hardcoded in our clients and requests when other (more modern and secure) authentication mechanisms are not present, other than through plugins? A way to improve this could be for {{SolrRequest}} to store a set of generic HTTPHeaders instead of basicAuthUser/Pass. We could provide static utility methods to add header for BasicAuth as well as other kind of headers. This would be on a per-request and not per-client basis. > Deprecate SolrRequest#setBasicAuthCredentials > --------------------------------------------- > > Key: SOLR-12194 > URL: https://issues.apache.org/jira/browse/SOLR-12194 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Components: SolrJ > Reporter: Jan Høydahl > Priority: Major > Fix For: 7.4 > > Time Spent: 10m > Remaining Estimate: 0h > > We should deprecate these methods in {{SolrRequest}}: > {code:java} > public SolrRequest setBasicAuthCredentials(String user, String password) > public String getBasicAuthPassword() > public String getBasicAuthUser() > {code} > The only way forward will be using the ClientBuilderFactory. > For 7.4 we should deprecate these, and for 8.0 (master) remove them. First we > need to migrate some tests etc that uses the old methods. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org