solr icon indicating copy to clipboard operation
solr copied to clipboard
verified publisher icon apache

SOLR-17247: Fix bug - 'WWW-Authenticate' headers missing in MultiAuthPlugin

Open laminelam opened this issue 1 year ago • 4 comments

https://issues.apache.org/jira/browse/SOLR-17247

Description

MultiAuthPlugin does not return WWW-Authenticate' headers

When returning a 401 response a Web application needs to indicate to the client what authentication challenges it supports, otherwise an exception like "HTTP protocol violation: Authentication challenge without WWW-Authenticate header“ is raised.

Solr’s MultiAuthPlugin does not supports this. With this PR Solr would return the list of supported schemes (challenges).

According to HTTP's RFC 7235:

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.

Solution

Add WWW-Authenticate' headers to error responses

Tests

Added new test case for missing WWW-Authenticate' headers

Checklist

Please review the following and check all that apply:

  • [x] I have reviewed the guidelines for How to Contribute and my code conforms to the standards described there to the best of my ability.
  • [x] I have created a Jira issue and added the issue ID to my pull request title.
  • [x] I have given Solr maintainers access to contribute to my PR branch. (optional but recommended)
  • [x] I have developed this patch against the main branch.
  • [x] I have run ./gradlew check.
  • [x] I have added tests for my changes.
  • [ ] I have added documentation for the Reference Guide

laminelam avatar Apr 22 '24 16:04 laminelam

Hi @janhoy

If you have some time, would you please take a look at this?

laminelam avatar Apr 25 '24 17:04 laminelam

I wish I knew more about this space, overall the changes make sense...

Hi @epugh Any idea who can review this PR?

laminelam avatar May 23 '24 18:05 laminelam

I'm going to ping @janhoy on this ticket... If he isnt' able to review it, I can look some more early next week...

Would you mind pinging me early next week, say tuesday if you don't get another set of eyes? I have assigned the PR to me to remind me when I check my list of PR's to review that I have this one!

epugh avatar May 23 '24 18:05 epugh

I'm going to ping @janhoy on this ticket... If he isnt' able to review it, I can look some more early next week...

Would you mind pinging me early next week, say tuesday if you don't get another set of eyes? I have assigned the PR to me to remind me when I check my list of PR's to review that I have this one!

Thank you very much, Eric, for your prompt answer. Yes will ping you if it doesn't get a review by then.

laminelam avatar May 23 '24 19:05 laminelam