This is an automated email from the ASF dual-hosted git repository.
janhoy pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/main by this push:
new 6154e2a7519 SOLR-18215 JWT auth module now defaults to
blockUnknown=true (#4373)
6154e2a7519 is described below
commit 6154e2a7519e9664f34d87a2ea155d9df1ba7ee0
Author: Jan Høydahl <[email protected]>
AuthorDate: Thu May 7 13:53:01 2026 +0200
SOLR-18215 JWT auth module now defaults to blockUnknown=true (#4373)
---
.../SOLR-18215-jwt-auth-blockUnknown-default-true.yml | 8 ++++++++
.../src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java | 2 +-
.../test/org/apache/solr/security/jwt/JWTAuthPluginTest.java | 10 ++++++++++
.../modules/upgrade-notes/pages/major-changes-in-solr-10.adoc | 6 ++++++
solr/webapp/web/js/angular/controllers/security.js | 5 +++--
5 files changed, 28 insertions(+), 3 deletions(-)
diff --git
a/changelog/unreleased/SOLR-18215-jwt-auth-blockUnknown-default-true.yml
b/changelog/unreleased/SOLR-18215-jwt-auth-blockUnknown-default-true.yml
new file mode 100644
index 00000000000..08e26cf170e
--- /dev/null
+++ b/changelog/unreleased/SOLR-18215-jwt-auth-blockUnknown-default-true.yml
@@ -0,0 +1,8 @@
+title: JWT Authentication `blockUnknown` now defaults to `true`, blocking
unauthenticated requests by default. Previously the code defaulted to `false`
despite the reference guide documenting `true`. Users relying on pass-through
must explicitly set `blockUnknown` to `false` in their security.json.
+type: changed
+authors:
+ - name: Jan Høydahl
+ url: https://home.apache.org/phonebook.html?uid=janhoy
+links:
+ - name: SOLR-18215
+ url: https://issues.apache.org/jira/browse/SOLR-18215
diff --git
a/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
b/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
index 3e60cd71898..ebe1d01de35 100644
---
a/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
+++
b/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
@@ -171,7 +171,7 @@ public class JWTAuthPlugin extends AuthenticationPlugin
}
blockUnknown =
-
Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_BLOCK_UNKNOWN,
false)));
+
Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_BLOCK_UNKNOWN,
true)));
requireIssuer =
Boolean.parseBoolean(
String.valueOf(pluginConfig.getOrDefault(PARAM_REQUIRE_ISSUER,
"true")));
diff --git
a/solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/JWTAuthPluginTest.java
b/solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/JWTAuthPluginTest.java
index 7ee2cc01550..ba7aec71d8a 100644
---
a/solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/JWTAuthPluginTest.java
+++
b/solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/JWTAuthPluginTest.java
@@ -483,6 +483,15 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 {
assertEquals(NO_AUTZ_HEADER, resp.getAuthCode());
}
+ @Test
+ public void noHeaderDefaultBlocksUnknown() {
+ // blockUnknown defaults to true — omitting it must block requests without
a JWT
+ testConfig.remove("blockUnknown");
+ plugin.init(testConfig);
+ JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(null);
+ assertEquals(NO_AUTZ_HEADER, resp.getAuthCode());
+ }
+
@Test
public void noHeaderNotBlockUnknown() {
testConfig.put("blockUnknown", false);
@@ -510,6 +519,7 @@ public class JWTAuthPluginTest extends SolrTestCaseJ4 {
.toString();
testConfig.put("wellKnownUrl", wellKnownUrl);
testConfig.remove("jwk");
+ testConfig.put("blockUnknown", false);
plugin.init(testConfig);
JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(null);
assertEquals(PASS_THROUGH, resp.getAuthCode());
diff --git
a/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-10.adoc
b/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-10.adoc
index 3f267da0803..1d626f4c0fb 100644
---
a/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-10.adoc
+++
b/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-10.adoc
@@ -43,6 +43,12 @@ Former users of `solr.api.v2.enabled` looking to upgrade to
Solr 10.1 or newer s
Users who deploy a proxy in front of Solr should also review this setup to
ensure that it allows access to the v2 API root path, `/api`.
+=== JWT Authentication
+
+The `blockUnknown` setting in the JWT Authentication plugin now defaults to
`true`, meaning requests without a valid JWT token are blocked by default.
+In Solr 10.0, the code default was `false` (pass-through), which contradicted
the reference guide documentation that described `true` as the default.
+Users upgrading from 10.0 who relied on the pass-through behavior must
explicitly set `"blockUnknown": false` in their `security.json`.
+
== Solr 10.0
=== Solr Jetty parameters
diff --git a/solr/webapp/web/js/angular/controllers/security.js
b/solr/webapp/web/js/angular/controllers/security.js
index 52b5c2ac46a..fd65a289988 100644
--- a/solr/webapp/web/js/angular/controllers/security.js
+++ b/solr/webapp/web/js/angular/controllers/security.js
@@ -242,7 +242,7 @@ solrAdminApp.controller('SecurityController', function
($scope, $timeout, $cooki
$scope.hideAll();
$scope.tls = false;
- $scope.blockUnknown = "false"; // default setting
+ $scope.blockUnknown = "true"; // default setting
$scope.realmName = "solr";
$scope.forwardCredentials = "false";
$scope.multiAuthWithBasic = false;
@@ -371,7 +371,8 @@ solrAdminApp.controller('SecurityController', function
($scope, $timeout, $cooki
//console.log(">> authn: "+JSON.stringify(authn));
- $scope.blockUnknown = authn["blockUnknown"] === true ? "true" :
"false";
+ var blockUnknown = authn["blockUnknown"];
+ $scope.blockUnknown = (blockUnknown === false || blockUnknown ===
"false") ? "false" : "true";
$scope.forwardCredentials = authn["forwardCredentials"] === true ?
"true" : "false";
if ("realm" in authn) {
