[
https://issues.apache.org/jira/browse/SOLR-8429?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15062042#comment-15062042
]
Jan Høydahl commented on SOLR-8429:
-----------------------------------
Cool. This workaround would require blockUnauthenticated to be false, right?
Just a thought: If the new flag {{blockUnauthenticated}} is not explicitly
defined in config, could the default be smart and depend on whether an
Authorization plugin is active or not? There is no use in BasicAuthPlugin alone
without this enabled... Pseudo:
{code}
// Default to true if no authz configured
boolean blockUnauthenticated = config.get("blockUnauthenticated",
!hasAuthorizationPlugin());
{code}
Then we would continue to omit the flag in example configs, and document it for
those who rather want to block using the flag instead of an all permission.
That way we'd get back compat as well, not?
> add a flag blockUnauthenticated to BasicAutPlugin
> -------------------------------------------------
>
> Key: SOLR-8429
> URL: https://issues.apache.org/jira/browse/SOLR-8429
> Project: Solr
> Issue Type: Improvement
> Reporter: Noble Paul
> Assignee: Noble Paul
>
> If authentication is setup with BasicAuthPlugin, it let's all requests go
> through if no credentials are passed. This was done to have minimal impact
> for users who only wishes to protect a few end points (say , collection admin
> and core admin only)
> We can add a flag to {{BasicAuthPlugin}} to allow only authenticated requests
> to go in
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
