Re: [PR] SOLR-18233 Strengthen Basic Authentication password policy (backport branch_9x) [solr]

Thu, 18 Jun 2026 04:26:21 -0700 


Copilot commented on code in PR #4519:
URL: https://github.com/apache/solr/pull/4519#discussion_r3435386375


##########
solr/core/src/java/org/apache/solr/cli/AuthTool.java:
##########
@@ -467,10 +470,14 @@ private int handleBasicAuth(CommandLine cli) throws 
Exception {
           } while (password.length() == 0);
         }
 
-        boolean blockUnknown =
-            Boolean.parseBoolean(
-                SolrCLI.getOptionWithDeprecatedAndDefault(
-                    cli, "block-unknown", "blockUnknown", "true"));
+        if (username.equals(password)
+            && !EnvUtils.getPropertyAsBool(
+                Sha256AuthenticationProvider.ALLOW_USER_AS_PASSWORD_PROP, 
false)) {
+          CLIO.err(
+              "Error: username and password must not be identical."

Review Comment:
   The new username==password guard is good, but `username`/`password` are 
still parsed from `--credentials` via `credentials.split(":")`, which breaks 
passwords containing ':' and can also allow empty usernames/passwords like 
`user:` or `:pass`.
   
   Since this check relies on the parsed values (and the strengthened password 
policy encourages stronger passwords that may include ':'), consider parsing 
with a split limit and validating non-empty parts before running the equality 
check.



##########
solr/webapp/web/js/angular/app.js:
##########
@@ -450,6 +455,9 @@ solrAdminApp.config([
     } else if (rejection.status === 403 && !isHandledBySchemaDesigner) {

Review Comment:
   In `responseError`, security requests are intended to be handled by the 
Security panel (via `securityApiError`), but the 403 branch currently runs 
first for *all* non-schema-designer requests. This means a 403 from 
`/api/cluster/security/...` will set the generic `$rootScope.showAuthzFailures` 
banner and will never broadcast `securityApiError`, so the Security panel can’t 
show its detailed dialog for authz failures.
   
   Consider excluding security URLs from the 403 branch so they flow into the 
`isHandledBySecurity` handler.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to