Re: solr 7.7+ admin ui inaccessible with BasicAuthPlugin+RuleBasedAuthorizationPlugin

Sat, 23 Mar 2019 10:38:15 -0700 

Hi

Here is the curl:

$ curl -I http://localhost:8080/solr/
HTTP/1.1 401 Unauthorized request, Response code: 401
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 299

And the screenshot: https://i.imgur.com/PMTE3nR.png

I'll also note that it's wonderfully easy to reproduce:
1. unpack solr-8.0.0.zip
2. copy the security.json example from https://lucene.apache.org/solr/guide/7_7/basic-authentication-plugin.html into server/solr/ and replace "name":"security-edit" with "name":"all" 
3. start with bin/solr -f -p 8080
4. open http://localhost:8080/

Thanks for looking into it!

Best regards


On 23/03/2019 19:03, Jan Høydahl wrote:

Hi
Can you take a screenshot of the 401 error page you see (without login form)?
Also, perhaps you could do a curl -I (show headers) request to your Solr and show what headers that Solr returns instead of the www-authenticate header? 

Jan


23. mar. 2019 kl. 15:34 skrev a...@sigil.red:

Hi
SOLR-7896 made some changes to the admin ui login. After the changes I can no longer log in at all.
I'm running standalone solr 7.7 (same with 8.0) with the following security.json: 


{
"authentication": {
"class": "solr.BasicAuthPlugin",
"blockUnknown": true,
"credentials": {
"solr": "<hash for empty password string>"
},
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"permissions": [
{
"name": "all",
"role": "admin"
}
],
"user-role": {
"solr": "admin"
}
}
}
Opening the UI at http://localhost:8080/solr/ shows an error page with 401. The login page is not displayed because of the "all" permission being required. The browser's basic auth popup is not shown because the WWW-Authenticate header is not present. Changing the RuleBasedAuthorizationPlugin required permission from "all" to "security-edit" makes the login page appear.
The above basic auth + "all" permission was working ok with solr 7.5, but no longer works with 7.7+. Is this behaviour intended and/or documented?
Another issue is with using empty password strings. This used to work with the browser's native basic auth, but not by the login page ("Password is required" error). Is there some way to use an empty password with the login page? If not, is there a way to continue using the browser's native basic auth? 

Best regards

Reply via email to