Hi, Using solr 8.1.1 version and facing problem while enabling jwt authentication in solr. Jwt authentication is working fine after configuring security.json file. Below is the configuration I am using for enabling jwt authentication.
Security.json { "authentication":{ "blockUnknown": false, "class":"solr.JWTAuthPlugin", "jwk":{ "kty":"oct", "use":"sig", "kid":"k1", "k":"7A02618BE6943C22FD81CAB9F6FCF063B6E1732C3614BC3ACA6032B6B3215CAF0D28A34FD423423CA3AC34BEA27D3F79", "alg":"HS256"}, "aud":"solr"}, "authorization":{ "class":"solr.RuleBasedAuthorizationPlugin", "permissions":[ { "name":"all", "path":"/*", "role":"admin" } ], "user-role":{ "solr":"admin" } } } Using secret key 7A02618BE6943C22FD81CAB9F6FCF063B6E1732C3614BC3ACA6032B6B3215CAF0D28A34FD423423CA3AC34BEA27D3F79 Jwt token is generated: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZCIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.M4PksJTJ9gFjOlvvFmG1eDSyXDtKIRSGIYicIW9hwT4 Below header and payload I'm using for generate jwt token : The header is { "alg": "HS256", "typ": "JWT" } and the payload is { "sub": "admin", "aud": "Solr", "exp": 9916239022 } With above configuration my jwt authentication is working fine. But there is a problem when request is sent without authentication in header the api still retrieving data. I want to prevent it when request come without authentication header. For that, I've enabled blockUnknown parameter in security.json file. That works fine and authentication request is required. But, after enabling blockunknown parameter I am facing below exception while starting solr using solr start command. ERROR: Solr requires authentication for http://localhost:8983/solr/admin/info/system. Please supply valid credentials. HTTP code=401 I've googled a lot and find out solr/admin/info/system endpoint required authentication. How to authenticate solr/admin/info/system endpoint while startup solr? Need urgent help. I'd appreciate if someone can help me. Thanks Lakhan Gupta The information in this email is confidential and may be legally privileged. It is intended solely for the addressee and access to it by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken based on it, is strictly prohibited and may be unlawful.