Varun Thacker created SOLR-11827: ------------------------------------ Summary: MockAuthorizationPlugin should return 401 if no principal is specified Key: SOLR-11827 URL: https://issues.apache.org/jira/browse/SOLR-11827 Project: Solr Issue Type: Bug Security Level: Public (Default Security Level. Issues are Public) Reporter: Varun Thacker
Let's say today if the leader sends a message to the replica and it takes more than 10s ( the default TTL timeout ) then PKIAuthenticationPlugin will not pass the principal and RuleBasedAuthorizationPlugin will notice this and throw a 401 {code:title=PKIAuthenticationPlugin.java|borderStyle=solid} if ((receivedTime - decipher.timestamp) > MAX_VALIDITY) { log.error("Invalid key request timestamp: {} , received timestamp: {} , TTL: {}", decipher.timestamp, receivedTime, MAX_VALIDITY); filterChain.doFilter(request, response); return true; } {code} {code:title=RuleBasedAuthorizationPlugin.java|borderStyle=solid} if (principal == null) { log.info("request has come without principal. failed permission {} ",permission); //this resource needs a principal but the request has come without //any credential. return MatchStatus.USER_REQUIRED; } {code} I was trying to verify this with PKIAuthenticationIntegrationTest but I noticed that since this test uses MockAuthorizationPlugin where no principal is treated as a 200 the test won't fail. So we should enhance MockAuthorizationPlugin to treat no principal as a 401 and add a test in PKIAuthenticationIntegrationTest to verify the behaviour -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org