Jason Gerlowski created SOLR-17708:
--------------------------------------
Summary: JAX-RS v2 APIs go through authorization twice
Key: SOLR-17708
URL: https://issues.apache.org/jira/browse/SOLR-17708
Project: Solr
Issue Type: Bug
Components: Authorization, v2 API
Affects Versions: 9.8.1, main (10.0)
Reporter: Jason Gerlowski
Currently, v2 APIs implemented in JAX-RS go through authorization twice:
# Once in
["HttpSolrCall.call()"|https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java#L534-L544],
where authorization has historically always happened for v1 and non-JAXRS APIs
# And once again in
[SolrRequestAuthorizer|https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/jersey/SolrRequestAuthorizer.java#L89],
a
["pre-filter"|https://www.baeldung.com/jersey-filters-interceptors#1-implementing-a-request-server-filter]
that runs *after* the request has been submitted to Jersey but *before* the
API implementation is actually triggered
I think the idea, [when JAX-RS support was initially
added|https://github.com/apache/solr/pull/975], was that they would be skipped
over by HttpSolrCall's authorization logic, and only authorized by the
SolrRequestAuthorizer pre-filter, but the logic for this was never added.
We should modify this logic so that JAX-RS APIs are only authorized a single
time.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
