Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOLR-17247: Fix bug - 'WWW-Authenticate' headers missing in MultiAuthPlugin #2416

Merged
merged 7 commits into from
May 29, 2024
Merged

SOLR-17247: Fix bug - 'WWW-Authenticate' headers missing in MultiAuthPlugin #2416

merged 7 commits into from
May 29, 2024

Conversation

laminelam
Copy link
Contributor

@laminelam laminelam commented Apr 22, 2024
edited

https://issues.apache.org/jira/browse/SOLR-17247

Description

MultiAuthPlugin does not return WWW-Authenticate' headers

When returning a 401 response a Web application needs to indicate to the client what authentication challenges it supports, otherwise an exception like "HTTP protocol violation: Authentication challenge without WWW-Authenticate header“ is raised.

Solr’s MultiAuthPlugin does not supports this. With this PR Solr would return the list of supported schemes (challenges).

According to HTTP's RFC 7235:

The 401 (Unauthorized) status code indicates that the request has not
been applied because it lacks valid authentication credentials for
the target resource. The server generating a 401 response MUST send
a WWW-Authenticate header field (Section 4.1) containing at least one
challenge applicable to the target resource.

Solution

Add WWW-Authenticate' headers to error responses

Tests

Added new test case for missing WWW-Authenticate' headers

Checklist

Please review the following and check all that apply:

  • I have reviewed the guidelines for How to Contribute and my code conforms to the standards described there to the best of my ability.
  • I have created a Jira issue and added the issue ID to my pull request title.
  • I have given Solr maintainers access to contribute to my PR branch. (optional but recommended)
  • I have developed this patch against the main branch.
  • I have run ./gradlew check.
  • I have added tests for my changes.
  • I have added documentation for the Reference Guide

@laminelam laminelam changed the title Fix bug: 'WWW-Authenticate' headers missing in MultiAuthPlugin SOLR-17247: Fix bug - 'WWW-Authenticate' headers missing in MultiAuthPlugin Apr 22, 2024
@laminelam
Copy link
Contributor Author

Hi @janhoy

If you have some time, would you please take a look at this?

epugh
epugh reviewed Apr 27, 2024
View reviewed changes
solr/core/src/test/org/apache/solr/security/MultiAuthPluginTest.java Outdated
@@ -105,6 +110,10 @@ public void testMultiAuthEditAPI() throws Exception {
new SecurityConfHandler.SecurityConfig()
.setData(Utils.fromJSONString(multiAuthPluginSecurityJson)));
securityConfHandler.securityConfEdited();

// verify "WWW-Authenticate" headers are returned
testWWWAuthenticateHeaders(httpClient, baseUrl);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this test actually be starting with verify? Instead of test? like verifySecurityStatus??

Copy link
Contributor Author

@laminelam laminelam Apr 30, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I think that make sense as testWWWAuthenticateHeaders is not a UnitTest method. Will change it.

epugh
epugh reviewed Apr 27, 2024
View reviewed changes
Copy link
Contributor

@epugh epugh left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wish I knew more about this space, overall the changes make sense...

@laminelam
Copy link
Contributor Author

I wish I knew more about this space, overall the changes make sense...

Hi @epugh
Any idea who can review this PR?

@epugh epugh self-assigned this May 23, 2024
@epugh
Copy link
Contributor

epugh commented May 23, 2024

I'm going to ping @janhoy on this ticket... If he isnt' able to review it, I can look some more early next week...

Would you mind pinging me early next week, say tuesday if you don't get another set of eyes? I have assigned the PR to me to remind me when I check my list of PR's to review that I have this one!

@laminelam
Copy link
Contributor Author

laminelam commented May 23, 2024
edited

I'm going to ping @janhoy on this ticket... If he isnt' able to review it, I can look some more early next week...

Would you mind pinging me early next week, say tuesday if you don't get another set of eyes? I have assigned the PR to me to remind me when I check my list of PR's to review that I have this one!

Thank you very much, Eric, for your prompt answer. Yes will ping you if it doesn't get a review by then.

@epugh epugh merged commit 14a2195 into apache:main May 29, 2024
2 of 3 checks passed
epugh added a commit that referenced this pull request May 29, 2024
@laminelam @epugh
SOLR-17247: Fix bug - 'WWW-Authenticate' headers missing in MultiAuth…
4bd265d 
…Plugin (#2416)

Co-authored-by: Lamine Idjeraoui <[email protected]>
Co-authored-by: Eric Pugh <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@epugh epugh epugh left review comments

Assignees

@epugh epugh

Labels
cat:security tests
Projects
None yet
Milestone
No milestone
2 participants
@laminelam @epugh