[jira] [Commented] (SOLR-17708) JAX-RS v2 APIs go through authorization twice

Wed, 19 Mar 2025 08:57:22 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-17708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17936875#comment-17936875
 ] 

Jason Gerlowski commented on SOLR-17708:
----------------------------------------

One potential way to do this is to override the "HttpSolrCall.shouldAuthorize" 
method in the "V2HttpCall" subclass, returning "false" for JAX-RS APIs.

> JAX-RS v2 APIs go through authorization twice
> ---------------------------------------------
>
>                 Key: SOLR-17708
>                 URL: https://issues.apache.org/jira/browse/SOLR-17708
>             Project: Solr
>          Issue Type: Bug
>          Components: Authorization, v2 API
>    Affects Versions: main (10.0), 9.8.1
>            Reporter: Jason Gerlowski
>            Priority: Major
>
> Currently, v2 APIs implemented in JAX-RS go through authorization twice:
> # Once in 
> ["HttpSolrCall.call()"|https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java#L534-L544],
>  where authorization has historically always happened for v1 and non-JAXRS 
> APIs
> # And once again in 
> [SolrRequestAuthorizer|https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/jersey/SolrRequestAuthorizer.java#L89],
>  a 
> ["pre-filter"|https://www.baeldung.com/jersey-filters-interceptors#1-implementing-a-request-server-filter]
>  that runs *after* the request has been submitted to Jersey but *before* the 
> API implementation is actually triggered
> I think the idea, [when JAX-RS support was initially 
> added|https://github.com/apache/solr/pull/975], was that they would be 
> skipped over by HttpSolrCall's authorization logic, and only authorized by 
> the SolrRequestAuthorizer pre-filter, but the logic for this was never added.
> We should modify this logic so that JAX-RS APIs are only authorized a single 
> time.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to