[jira] [Updated] (SOLR-11827) MockAuthorizationPlugin should return 401 if no principal is specified

Wed, 31 Jan 2018 11:05:17 -0800 

     [ 
https://issues.apache.org/jira/browse/SOLR-11827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Cassandra Targett updated SOLR-11827:
-------------------------------------
    Component/s: Authentication

> MockAuthorizationPlugin should return 401 if no principal is specified
> ----------------------------------------------------------------------
>
>                 Key: SOLR-11827
>                 URL: https://issues.apache.org/jira/browse/SOLR-11827
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication
>            Reporter: Varun Thacker
>            Priority: Major
>
> Let's say today if the leader sends a message to the replica and it takes 
> more than 10s ( the default TTL timeout ) then PKIAuthenticationPlugin will 
> not pass the principal and RuleBasedAuthorizationPlugin will notice this and 
> throw a 401
> {code:title=PKIAuthenticationPlugin.java|borderStyle=solid}
>     if ((receivedTime - decipher.timestamp) > MAX_VALIDITY) {
>         log.error("Invalid key request timestamp: {} , received timestamp: {} 
> , TTL: {}", decipher.timestamp, receivedTime, MAX_VALIDITY);
>         filterChain.doFilter(request, response);
>         return true;
>     }
> {code}
> {code:title=RuleBasedAuthorizationPlugin.java|borderStyle=solid}
> if (principal == null) {
>         log.info("request has come without principal. failed permission {} 
> ",permission);
>         //this resource needs a principal but the request has come without
>         //any credential.
>         return MatchStatus.USER_REQUIRED;
>       }
> {code}
> I was trying to verify this with PKIAuthenticationIntegrationTest but I 
> noticed that since this test uses MockAuthorizationPlugin where no principal 
> is treated as a 200 the test won't fail.
> So we should enhance MockAuthorizationPlugin to treat no principal as a 401 
> and add a test in PKIAuthenticationIntegrationTest to verify the behaviour



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to