janhoy opened a new pull request, #4373: URL: https://github.com/apache/solr/pull/4373
https://issues.apache.org/jira/browse/SOLR-18215 Changes the default value of the `blockUnknown` setting in the JWT Authentication plugin from `false` to `true`. A documentation bug introduced in v9.0 caused the reference guide to state `true` as the default, while the code has always defaulted to `false` (pass-through). Rather than reverting the docs as first proposed in #4337, this PR modifies the default to `true` which we planned to do at some point anyway, as this is the more secure and least surprising default. ## Changes - **`JWTAuthPlugin.java`** — default for `blockUnknown` changed from `false` to `true` - **`security.js` (Admin UI)** — initial display state and the fallback when `blockUnknown` is absent from `security.json` both corrected to default to `true`, so the checkbox reflects the actual plugin behavior - **`JWTAuthPluginTest.java`** — `wellKnownConfigNoHeaderPassThrough` test now sets `blockUnknown: false` explicitly (it was the only test relying on the implicit `false` default) - **`major-changes-in-solr-10.adoc`** — added a note under the Solr 10.1 section documenting the behavior change and the documentation error in 10.0 ## Upgrade impact Users who configured JWT auth in Solr 10.0 **without** explicitly setting `blockUnknown` and relied on unauthenticated requests passing through must add `"blockUnknown": false` to their `security.json` after upgrading. Note: `solr auth enable` does not yet support JWT, so there is no CLI impact. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
