Re: Reserved characters in password used by Jetty (Solr)

Mon, 05 Dec 2016 14:45:18 -0800 

Thanks Shawn.

I fixed the issue by URL encoding.  Here is a slim down version of my code
(with the fix):

    // Gives back: http://username:password@server:port/solr/...
    public HttpSolrClient getSolrClient()
    {
        // the next two lines is the fix
  String username = URLEncoder.encode(getSolrUserID(), "UTF-8");
  String password = URLEncoder.encode(getSolrPasswordClearText(), "UTF-8");

        // Gives back: http://username:password@server:port/solr/...
        String solrUrl = "http://"; + username + ":" + password + "@" +
getSolrServerName() + ":" getSolrServerPort() + getSolrUpdatePathURI();

        HttpSolrClient solrClient = new HttpSolrClient(solrUrl);

        solrClient.setParser(new XMLResponseParser());

        return solrClient;
    }

As you can see, I'm posting the username / password as part of the URL
which appears to be the root of my issue, but I cannot figure out how to
set basic authentication on HttpSolrClient any other way, do you?

A side note, the exception that was being thrown (see my original posting
on this topic) shows the URL and with the URL the username and password in
the log.  This is bad from a security perspective, Should a security defect
be open against Solr about this?

Steve



On Mon, Dec 5, 2016 at 10:45 AM, Shawn Heisey <apa...@elyograg.org> wrote:

> On 12/5/2016 8:10 AM, Steven White wrote:
> > Hi everyone,
> >
> > I'm password protecting Solr using Jetty's realm.properties and noticed
> > that if the password has "@" Jetty throws an error and thus I cannot
> access
> > Solr:
> <snip>
> > My question is, what are the reserved character list?  Are they listed
> > somewhere?
>
> The password is being included with the URL, so the restrictions are
> whatever's legal in a URL.  I am guessing that what is happening here is
> that the password is not being run through URI encoding.  Encoding the
> string should allow *any* character to be used, as long as it's valid
> UTF-8.
>
> As a possible workaround, you could try setting the password in SolrJ to
> the URI encoded version, which for the password you indicated would be:
>
> 81%23Mst%23Demo%4018
>
> If this works, which I think it probably will, then there's a bug.  I do
> not know whether the bug is in SolrJ or HttpClient.  One of them is not
> URI encoding the password before sending it.  It would be helpful if you
> shared your SolrJ code that sets the user/password, so we can determine
> where the bug is.
>
> I got the URI encoded version of the password by using the form at this
> URL:
>
> http://urldecode.org/
>
> Thanks,
> Shawn
>
>

Reply via email to