[
https://issues.apache.org/jira/browse/SOLR-17708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17936875#comment-17936875
]
Jason Gerlowski commented on SOLR-17708:
----------------------------------------
One potential way to do this is to override the "HttpSolrCall.shouldAuthorize"
method in the "V2HttpCall" subclass, returning "false" for JAX-RS APIs.
> JAX-RS v2 APIs go through authorization twice
> ---------------------------------------------
>
> Key: SOLR-17708
> URL: https://issues.apache.org/jira/browse/SOLR-17708
> Project: Solr
> Issue Type: Bug
> Components: Authorization, v2 API
> Affects Versions: main (10.0), 9.8.1
> Reporter: Jason Gerlowski
> Priority: Major
>
> Currently, v2 APIs implemented in JAX-RS go through authorization twice:
> # Once in
> ["HttpSolrCall.call()"|https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java#L534-L544],
> where authorization has historically always happened for v1 and non-JAXRS
> APIs
> # And once again in
> [SolrRequestAuthorizer|https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/jersey/SolrRequestAuthorizer.java#L89],
> a
> ["pre-filter"|https://www.baeldung.com/jersey-filters-interceptors#1-implementing-a-request-server-filter]
> that runs *after* the request has been submitted to Jersey but *before* the
> API implementation is actually triggered
> I think the idea, [when JAX-RS support was initially
> added|https://github.com/apache/solr/pull/975], was that they would be
> skipped over by HttpSolrCall's authorization logic, and only authorized by
> the SolrRequestAuthorizer pre-filter, but the logic for this was never added.
> We should modify this logic so that JAX-RS APIs are only authorized a single
> time.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
