[
https://issues.apache.org/jira/browse/SOLR-12121?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16588890#comment-16588890
]
Jan Høydahl commented on SOLR-12121:
------------------------------------
Thanks Noble! I was able to do steps 1-4, and have an interceptor that gets
passed the {{HttpRequest}} and {{HttpContext}} objects.
Now I'm trying to wrap my head around the cleanest way to do step 5 in your
list. I.e. how to get that initial {{Authorization}} header to survive all the
hoops until the {{HttpShardHandler}} creates new clients and threads to
distribute the request to all the shards.
As far as I can understand, headers are not copied across when new requests are
made, only requestParams are. So the interceptor would not see any headers on
all the sub shard requests. I don't think it would be correct to blindly copy
all headers either. Storing the header on {{ThreadLocal}} would not work since
sub requests are done in another threadPool. I could wrap the
HttpServletRequest object and add a custom requestParam in the queryString but
I don't want it to look as if this was a user added parameter which would then
get logged in solr log etc.
A promising approach I think is to explicitly store the token/header as a
custom {{HttpServletRequest}} attribute, e.g. "solr.headersToAdd" and then once
the SolrRequest is created, copy that attribute over to a new {{List<Header>}}
property, which then the SolrClients will add as part of {{request()}}. Or am I
complicating things here?
> JWT Authentication plugin
> -------------------------
>
> Key: SOLR-12121
> URL: https://issues.apache.org/jira/browse/SOLR-12121
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Fix For: master (8.0), 7.5
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> A new Authentication plugin that will accept a [Json Web
> Token|https://en.wikipedia.org/wiki/JSON_Web_Token] (JWT) in the
> Authorization header and validate it by checking the cryptographic signature.
> The plugin will not perform the authentication itself but assert that the
> user was authenticated by the service that issued the JWT token.
> JWT defined a number of standard claims, and user principal can be fetched
> from the {{sub}} (subject) claim and passed on to Solr. The plugin will
> always check the {{exp}} (expiry) claim and optionally enforce checks on the
> {{iss}} (issuer) and {{aud}} (audience) claims.
> The first version of the plugin will only support RSA signing keys and will
> support fetching the public key of the issuer through a [Json Web
> Key|https://tools.ietf.org/html/rfc7517] (JWK) file, either from a https URL
> or from local file.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
