Ugh ... no sure WTF is going on here, but that's for reporting it with clear steps to reproduce...
https://issues.apache.org/jira/browse/SOLR-8408 : Date: Fri, 11 Dec 2015 20:43:46 +0100 : From: Kristine Jetzke <kristine.jet...@gmx.de> : Reply-To: solr-user@lucene.apache.org : To: solr-user@lucene.apache.org : Subject: API accessible without authentication even though Basic Auth Plugin : is enabled : : Hi, : : I noticed that it is possible to access the API even if the Basic Auth plugin is enabled. Is that a known issue/done on purpose? I didn’t find anything in JIRA or the docs. : : What I did: : - Started zookeeper on port 2181 and uploaded security.json from https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin <https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin> : - Started Solr cluster using cloud example: bin/solr start -e cloud -c -z localhost:2181 : - Executed the following commands: : - curl -u solr:SolrRocks 'http://localhost:8983/solr/gettingstarted_shard1_replica1/select?q=*%3A*&wt=json&indent=true': Returns 200 as expected : - curl -u solr:wrongPassword 'http://localhost:8983/solr/gettingstarted_shard1_replica1/select?q=*%3A*&wt=json&indent=true': Returns 401 as expected : - curl 'http://localhost:8983/solr/gettingstarted_shard1_replica1/select?q=*%3A*&wt=json&indent=true': Returns 200 even though no Authorization header is set. : : I don’t understand why the last part works like it does. If I don’t give credentials, I would expect that the behavior is the same as with invalid credentials. Is there a special reason why it behaves like this? I’m wondering because I’m working on a custom authentication plugin and was looking into the existing ones to understand how they work. : : Thanks, : : tine -Hoss http://www.lucidworks.com/
