gerlowskija commented on a change in pull request #630: SOLR-13344: Admin UI
inaccessible with RuleBasedAuthorizationPlugin
URL: https://github.com/apache/lucene-solr/pull/630#discussion_r270903037
##########
File path: solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
##########
@@ -550,6 +550,7 @@ public Action call() throws IOException {
private boolean shouldAuthorize() {
if(PublicKeyHandler.PATH.equals(path)) return false;
//admin/info/key is the path where public key is exposed . it is always
unsecured
+ if ("/".equals(path)) return false; // Static Admin UI files must always
be served
Review comment:
This looks good to me. I was worried about str comparison on the path being
brittle, but I'm reassured that we already do this for authentication.
My only question: In JIRA you linked to the corresponding logic for
authentication
[here|https://github.com/apache/lucene-solr/blob/6222abf4480ee15bad2e67942263f563ce5ee434/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java#L468].
For authentication, we check against the paths `/` and `/solr/`, but here
you're only checking against `/`. Is there a reason for that?
(Will probably cross-post this to JIRA as well)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
