SOLR-17247: Fix bug - 'WWW-Authenticate' headers missing in MultiAuthPlugin #2416
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://issues.apache.org/jira/browse/SOLR-17247
Description
MultiAuthPlugin does not return WWW-Authenticate' headers
When returning a 401 response a Web application needs to indicate to the client what authentication challenges it supports, otherwise an exception like "HTTP protocol violation: Authentication challenge without WWW-Authenticate header“ is raised.
Solr’s MultiAuthPlugin does not supports this. With this PR Solr would return the list of supported schemes (challenges).
According to HTTP's RFC 7235:
The 401 (Unauthorized) status code indicates that the request has not
been applied because it lacks valid authentication credentials for
the target resource. The server generating a 401 response MUST send
a WWW-Authenticate header field (Section 4.1) containing at least one
challenge applicable to the target resource.
Solution
Add WWW-Authenticate' headers to error responses
Tests
Added new test case for missing WWW-Authenticate' headers
Checklist
Please review the following and check all that apply:
main
branch../gradlew check
.