Hmm, you need to set up the HttpClient in HttpShardHandlerFactory but you
cannot access the HttpServletRequest from there, it is only available in
SolrDispatchFilter AFAIK. And then, the HttpServletRequest can only return the
remote user name, not the password he, she or it provided. I don't know how to
obtain the password.
-----Original message-----
> From:Per Steffensen <st...@designware.dk>
> Sent: Fri 11-Jan-2013 15:28
> To: solr-user@lucene.apache.org
> Subject: Re: Forwarding authentication credentials in internal node-to-node
> requests
>
> Hmmm, it will not work for me. I want the "original" credential
> forwarded in the sub-requests. The credentials are mapped to permissions
> (authorization), and basically I dont want a user to be able have
> something done in the (automatically performed by the contacted
> solr-node) sub-requests that he is not authorized to do. Forward of
> credentials is a must. So what you are saying is that I should expect to
> have to do some modifications to Solr in order to achieve what I want?
>
> Regards, Per Steffensen
>
> On 1/11/13 2:11 PM, Markus Jelsma wrote:
> > Hi,
> >
> > If your credentials are fixed i would configure username:password in your
> > request handler's shardHandlerFactory configuration section and then modify
> > HttpShardHandlerFactory.init() to create a HttpClient with an AuthScope
> > configured with those settings.
> >
> > I don't think you can obtain the original credentials very easy when inside
> > HttpShardHandlerFactory.
> >
> > Cheers
> >
> > -----Original message-----
> >> From:Per Steffensen <st...@designware.dk>
> >> Sent: Fri 11-Jan-2013 13:07
> >> To: solr-user@lucene.apache.org
> >> Subject: Forwarding authentication credentials in internal node-to-node
> >> requests
> >>
> >> Hi
> >>
> >> I read http://wiki.apache.org/solr/SolrSecurity and know a lot about
> >> webcontainer authentication and authorization. Im sure I will be able to
> >> set it up so that each solr-node is will require HTTP authentication for
> >> (selected) incoming requests.
> >>
> >> But solr-nodes also make requests among each other and Im in doubt if
> >> credentials are forwarded from the "original request" to the internal
> >> sub-requests?
> >> E.g. lets say that each solr-node is set up to require authentication
> >> for search request. An "outside" user makes a distributed request
> >> including correct username/password. Since it is a distributed search,
> >> the node which handles the original request from the user will have to
> >> make sub-requests to other solr-nodes but they also require correct
> >> credentials in order to accept this sub-request. Are the credentials
> >> from the original request duplicated to the sub-requests or what options
> >> do I have?
> >> Same thing goes for e.g. update requests if they are sent to a node
> >> which does not run (all) the replica of the shard in which the documents
> >> to be added/updated/deleted belong. The node needs to make sub-request
> >> to other nodes, and it will require forwarding the credentials.
> >>
> >> Does this just work out of the box, or ... ?
> >>
> >> Regards, Per Steffensen
> >>
>
>
