Jan
I tried using the JWT Plugin https://github.com/cominvent/solr-auth-jwt
If my security.json file is
{
"authentication": {
"class":"com.cominvent.solr.JWTAuthPlugin",
"jwk" : {
"kty": "oct",
"use": "sig",
"kid": "solr",
"k":
"pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
"alg": "HS256"
}
}
}
And my JWT token has the properties Header {
"alg": "HS256",
"typ": "JWT"
} Payload {
"sub": "admin",
"name": "admin",
"iat": 1516239022
} What other parameters do I need to add to the security.json file to
secure Solr 7.2 ? I don't want anyone being able to access it without using
curl -H "Authorization : Bearer <jwt-token>"
http://localhost:8983/solr/admin/info
Thanks Tyrone
On Tue, Sep 10, 2019 at 2:18 PM Tyrone Tse <tyrone...@hotmail.com> wrote:
> All I could see in the solr.log was ( could it be the java version ?)
>
> main{ExitableDirectoryReader(UninvertingDirectoryReader(Uninverting(_0(8.2.0):C1:[diagnostics={java.vendor=Oracle
> Corporation, os=Mac OS X, java.version=1.8.0_60, java.vm.version=25.60-b23,
> lucene.version=8.2.0, os.arch=x86_64, java.runtime.version=1.8.0_60-b27,
> source=flush, os.version=10.12.6,
> timestamp=1568127993644}]:[attributes={Lucene50StoredFieldsFormat.mode=BEST_SPEED}])))}
> 2019-09-10 19:16:02.312 WARN (qtp875016237-24) [ ]
> o.a.s.s.JWTAuthPlugin Authentication failed.
>
> On Tue, Sep 10, 2019 at 12:38 PM Jan Høydahl <jan....@cominvent.com>
> wrote:
>
>> Please check the error message in solr.log on the server side and paste
>> that here. Could be a bug 🕷
>>
>> Jan Høydahl
>>
>> > 10. sep. 2019 kl. 18:51 skrev Tyrone Tse <tyrone...@hotmail.com>:
>> >
>> > Jan using https://mkjwk.org/
>> > I generated the following JWK
>> >
>> > {
>> >
>> > "kty": "oct",
>> > "use": "sig",
>> > "kid": "solr",
>> > "k":
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>> > "alg": "HS256"
>> > }
>> >
>> > So I put the generated JWK into my solr server security.json file like
>> this
>> >
>> > {
>> > "authentication": {
>> > "class":"solr.JWTAuthPlugin",
>> > "blockUnknown": true,
>> > "jwk" : {
>> > "kty": "oct",
>> > "use": "sig",
>> > "kid": "solr",
>> > "k":
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>> > "alg": "HS256"
>> > }
>> > }
>> > }
>> >
>> > Then I went to https://jwt.io/ to generate the JWT using the value of
>> > "k":
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>> >
>> > for the secret key
>> >
>> > My JWT header
>> > {
>> > "alg": "HS256",
>> > "typ": "JWT"
>> > }
>> >
>> > Payload
>> >
>> > {
>> > "sub": "1234567890",
>> > "name": "John Doe",
>> > "iat": 1516239022
>> > }
>> >
>> > Secret key
>> >
>> pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ
>> >
>> > Which generates the following encoded JWT
>> >
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44
>> >
>> >
>> > So I then tried to use the JWT encoded value in a curl command to Solr
>> > as follows
>> >
>> > curl -H "Authorization: Bearer
>> >
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
>> > http://localhost:8983/solr/admin/info/system
>> >
>> > I get the error message
>> >
>> > <html>
>> > <head>
>> > <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>> > <title>Error 401 JWT validation failed</title>
>> > </head>
>> > <body><h2>HTTP ERROR 401</h2>
>> > <p>Problem accessing /solr/admin/info/system. Reason:
>> > <pre> JWT validation failed</pre></p>
>> > </body>
>> > </html>
>> >
>> >
>> > Am I missing something in my security.json file ?
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >> On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <jan....@cominvent.com>
>> wrote:
>> >>
>> >> I think you are confusing JWK with the JWT token. JWK is only for
>> defining
>> >> the key, see https://mkjwk.org for an online JWK generator, you can
>> >> choose HS256 as algorithm. Put the generated JWK in Solr's config and
>> also
>> >> use the generated key to sign your JWT. Then Solr should be able to
>> >> validate the JWT.
>> >>
>> >> --
>> >> Jan Høydahl, search solution architect
>> >> Cominvent AS - www.cominvent.com
>> >>
>> >>> 10. sep. 2019 kl. 01:21 skrev Tyrone <tyrone....@gmail.com>:
>> >>>
>> >>> Jan
>> >>>
>> >>> Can my jwk object be something like
>> >>>
>> >>> {alg": "HS256", "typ": "JWT",
>> >>>
>> >>> "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
>> >>>
>> >>> “k" : "secret-key"}
>> >>>
>> >>> Where k is the JWT secret key?
>> >>>
>> >>>
>> >>> Sent from my iPhone
>> >>>
>> >>>> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <jan....@cominvent.com>
>> wrote:
>> >>>>
>> >>>> In your security.json, add a JWK matching your signing algorithm,
>> using
>> >> the “jwk” JSON key.
>> >>>>
>> >>>> Example:
>> >>>> “jwk” : { "kty" : "oct", "kid" :
>> >> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
>> >> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
>> >>>>
>> >>>> Of course you need to find a way to encode your particular secret in
>> >> jwk format, there should be plenty of tools available for that. If you
>> >> intend to use symmetric key in prod you have to configure solr so that
>> >> security.json is not readable for anyone but the admin!
>> >>>>
>> >>>> Jan Høydahl
>> >>>>
>> >>>>> 9. sep. 2019 kl. 05:46 skrev Tyrone <tyrone....@gmail.com>:
>> >>>>>
>> >>>>> HS256
>> >>
>> >>
>>
>
