[
https://issues.apache.org/jira/browse/SOLR-15154?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286106#comment-17286106
]
Tomas Eduardo Fernandez Lobbe commented on SOLR-15154:
------------------------------------------------------
OK, I've spent much more time looking at this than what I was expecting to, and
I'm still not 100% clear what's the best path forward. We have the
{{PreemptiveBasicAuthClientBuilderFactory}} class for setting up the basic auth
credentials in the case of using the System props as documented
[here|https://lucene.apache.org/solr/guide/8_8/basic-authentication-plugin.html#global-jvm-basic-auth-credentials].
It looks like this class was created for the older HttpClient, and adapted
later to also work for the jetty http2 one (but It doesn't seem to be used
right now, thus, this Jira issue). When the {{setup}} method in this class is
called, it'll do this:
{code:java}
HttpAuthenticationStore authenticationStore = new HttpAuthenticationStore();
authenticationStore.addAuthentication(new
SolrBasicAuthentication(basicAuthUser, basicAuthPass));
client.getHttpClient().setAuthenticationStore(authenticationStore);
client.getProtocolHandlers().put(new
WWWAuthenticationProtocolHandler(client.getHttpClient()));
client.getProtocolHandlers().put(new
ProxyAuthenticationProtocolHandler(client.getHttpClient()));
{code}
My understanding (and if someone has pointers to good docs on this, please let
me know, I couldn't find much) is that this will instruct the client to attempt
authentication using {{basicAuthUser}} and {{basicAuthPass}} after a 401 is
received from the server. It'll then cache the server and from then on, send
the authentication headers in advance to that particular server. This will
repeat for each different Solr server.
For explicit credentials (set on the request), we do something much more
straightforward, we manually add the header on the request:
{code:java}
private void setBasicAuthHeader(@SuppressWarnings({"rawtypes"})SolrRequest
solrRequest, Request req) {
if (solrRequest.getBasicAuthUser() != null &&
solrRequest.getBasicAuthPassword() != null) {
String userPass = solrRequest.getBasicAuthUser() + ":" +
solrRequest.getBasicAuthPassword();
String encoded =
Base64.byteArrayToBase64(userPass.getBytes(FALLBACK_CHARSET));
req.header("Authorization", "Basic " + encoded);
}
{code}
I'm wondering why we need to go through the authentication store for a
client-wide auth configuration instead of just adding the header like we do for
explicit authentication requests? Something like:
{code:java}
private void setBasicAuthHeader(@SuppressWarnings({"rawtypes"})SolrRequest
solrRequest, Request req) {
if (solrRequest.getBasicAuthUser() != null &&
solrRequest.getBasicAuthPassword() != null) {
String encoded =
basicAuthCredentialsToAuthorizationString(solrRequest.getBasicAuthUser(),
solrRequest.getBasicAuthPassword());
req.header("Authorization", encoded);
} else if (this.basicAuthAuthorizationStr != null) {
req.header("Authorization", this.basicAuthAuthorizationStr);
}
}
{code}
where {{this.basicAuthAuthorizationStr}} is set via the builder?
> Let Http2SolrClient pass Basic Auth credentials to all requests
> ---------------------------------------------------------------
>
> Key: SOLR-15154
> URL: https://issues.apache.org/jira/browse/SOLR-15154
> Project: Solr
> Issue Type: Improvement
> Components: SolrJ
> Reporter: Tomas Eduardo Fernandez Lobbe
> Priority: Minor
>
> In {{HttpSolrClient}}, one could specify credentials [at the JVM
> level|https://lucene.apache.org/solr/guide/8_8/basic-authentication-plugin.html#global-jvm-basic-auth-credentials],
> and that would make all requests to Solr have them. This doesn't work with
> the Http2 clients case and I think it's very useful.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
