[jira] [Commented] (SOLR-13835) HttpSolrCall produces incorrect extra AuditEvent on AuthorizationResponse.PROMPT

Sun, 13 Oct 2019 12:43:53 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-13835?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16950454#comment-16950454
 ] 

Jan Høydahl commented on SOLR-13835:
------------------------------------

{quote}Jan: Maybe i'm missing something, but IIUC in the context of how simple 
those blocks were when the code was initially added, it was reasonable for the 
first block to fall through to the second
{quote}
The logic was flawed originally since the code would return a 403 *instead* of 
a 401 due to the fall-through.

> HttpSolrCall produces incorrect extra AuditEvent on 
> AuthorizationResponse.PROMPT
> --------------------------------------------------------------------------------
>
>                 Key: SOLR-13835
>                 URL: https://issues.apache.org/jira/browse/SOLR-13835
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication, Authorization
>            Reporter: Chris M. Hostetter
>            Assignee: Jan Høydahl
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> spinning this out of SOLR-13741...
> {quote}
> Wrt the REJECTED + UNAUTHORIZED events I see the same as you, and I believe 
> there is a code bug, not a test bug. In HttpSolrCall#471 in the 
> {{authorize()}} call, if authResponse == PROMPT, it will actually match both 
> blocks and emit two audit events: 
> [https://github.com/apache/lucene-solr/blob/26ede632e6259eb9d16861a3c0f782c9c8999762/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java#L475:L493]
>  
> {code:java}
> if (authResponse.statusCode == AuthorizationResponse.PROMPT.statusCode) {...}
> if (!(authResponse.statusCode == HttpStatus.SC_ACCEPTED) && 
> !(authResponse.statusCode == HttpStatus.SC_OK)) {...}
> {code}
> When code==401, it is also true that code!=200. Intuitively there should be 
> both a sendErrora and return RETURN before line #484 in the first if block?
> {quote}
> This causes any and all {{REJECTED}} AuditEvent messages to be accompanied by 
> a coresponding {{UNAUTHORIZED}} AuditEvent.  
> It's not yet clear if, from the perspective of the external client, there are 
> any other bugs in behavior (TBD)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to