Copilot commented on code in PR #4373:
URL: https://github.com/apache/solr/pull/4373#discussion_r3152534385
##########
solr/webapp/web/js/angular/controllers/security.js:
##########
@@ -371,7 +371,7 @@ solrAdminApp.controller('SecurityController', function
($scope, $timeout, $cooki
//console.log(">> authn: "+JSON.stringify(authn));
- $scope.blockUnknown = authn["blockUnknown"] === true ? "true" :
"false";
+ $scope.blockUnknown = authn["blockUnknown"] === false ? "false" :
"true";
Review Comment:
`authn["blockUnknown"]` may be stored as a string (e.g. "false") in
`security.json` (see various tests/configs using quoted values). With the new
strict `=== false` check, a string "false" will be treated as absent and the UI
will display it as "true". Consider coercing/handling both boolean and string
values (e.g. treat `false` and "false" as false) before setting
`$scope.blockUnknown`.
```suggestion
var blockUnknown = authn["blockUnknown"];
$scope.blockUnknown = (blockUnknown === false || blockUnknown ===
"false") ? "false" : "true";
```
##########
solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java:
##########
@@ -171,7 +171,7 @@ public void init(Map<String, Object> pluginConfig) {
}
blockUnknown =
-
Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_BLOCK_UNKNOWN,
false)));
+
Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_BLOCK_UNKNOWN,
true)));
requireIssuer =
Review Comment:
Now that the default for `blockUnknown` has changed, it would be good to
add/adjust a unit test that asserts the new implicit default behavior (i.e.
when `blockUnknown` is omitted, a missing/invalid Authorization header results
in blocking rather than pass-through). This helps prevent future regressions
where the default might accidentally flip back.
##########
solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-10.adoc:
##########
@@ -43,6 +43,12 @@ Former users of `solr.api.v2.enabled` looking to upgrade to
Solr 10.1 or newer s
Users who deploy a proxy in front of Solr should also review this setup to
ensure that it allows access to the v2 API root path, `/api`.
+=== JWT Authentication
+
+The `blockUnknown` setting in the JWT Authentication plugin now defaults to
`true`, meaning requests without a valid JWT token are blocked by default.
+In Solr 10.0, the code default was `false` (pass-through), which contradicted
the reference guide documentation that described `true` as the default.
+Users upgrading from 10.0 who relied on the pass-through behavior must
explicitly set `blockUnknown: false` in their `security.json`.
Review Comment:
This note refers to setting `blockUnknown: false` in `security.json`, but
JSON requires quoted keys (and it’s clearer to show it as a JSON fragment).
Consider changing to something like `"blockUnknown": false` to avoid confusion
for users copying this into their config.
```suggestion
Users upgrading from 10.0 who relied on the pass-through behavior must
explicitly set `"blockUnknown": false` in their `security.json`.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
