From 0b6ea3f1087c2d981052880dbdd54a0eec08bff5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Mon, 7 Jan 2019 13:02:44 +0100 Subject: [PATCH] SOLR-7896: Avoid browser basicAuth dialogue when blockUnknown=false. Always show Dashboard menu. Clarify refGuide --- .../apache/solr/security/BasicAuthPlugin.java | 33 +++++++++++-------- ...hentication-and-authorization-plugins.adoc | 2 +- solr/webapp/web/index.html | 4 +-- 3 files changed, 23 insertions(+), 16 deletions(-) diff --git a/solr/core/src/java/org/apache/solr/security/BasicAuthPlugin.java b/solr/core/src/java/org/apache/solr/security/BasicAuthPlugin.java index 72afb95af90..f8ee989edb3 100644 --- a/solr/core/src/java/org/apache/solr/security/BasicAuthPlugin.java +++ b/solr/core/src/java/org/apache/solr/security/BasicAuthPlugin.java @@ -29,6 +29,7 @@ import java.io.UnsupportedEncodingException; import java.lang.invoke.MethodHandles; import java.nio.charset.StandardCharsets; import java.security.Principal; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Objects; @@ -118,18 +119,7 @@ public class BasicAuthPlugin extends AuthenticationPlugin implements ConfigEdita } private void authenticationFailure(HttpServletResponse response, boolean isAjaxRequest, String message) throws IOException { - for (Map.Entry entry : authenticationProvider.getPromptHeaders().entrySet()) { - String value = entry.getValue(); - // Prevent browser from intercepting basic authentication header when reqeust from Admin UI - if (isAjaxRequest && HttpHeaders.WWW_AUTHENTICATE.equalsIgnoreCase(entry.getKey()) && value != null) { - if (value.startsWith("Basic ")) { - value = "x" + value; - log.debug("Prefixing {} header for Basic Auth with 'x' to prevent browser basic auth popup", - HttpHeaders.WWW_AUTHENTICATE); - } - } - response.setHeader(entry.getKey(), value); - } + getPromptHeaders(isAjaxRequest).forEach(response::setHeader); response.sendError(401, message); } @@ -195,12 +185,29 @@ public class BasicAuthPlugin extends AuthenticationPlugin implements ConfigEdita return false; } else { numPassThrough.inc(); - request.setAttribute(AuthenticationPlugin.class.getName(), authenticationProvider.getPromptHeaders()); + request.setAttribute(AuthenticationPlugin.class.getName(), getPromptHeaders(isAjaxRequest)); filterChain.doFilter(request, response); return true; } } + /** + * Get the prompt headers, and replace Basic with xBasic if ajax request to avoid + * browser intercepting the authentication + * @param isAjaxRequest set to true if the request is an ajax request + * @return map of headers + */ + private Map getPromptHeaders(boolean isAjaxRequest) { + Map headers = new HashMap(authenticationProvider.getPromptHeaders()); + if (isAjaxRequest && headers.containsKey(HttpHeaders.WWW_AUTHENTICATE) + && headers.get(HttpHeaders.WWW_AUTHENTICATE).startsWith("Basic ")) { + headers.put(HttpHeaders.WWW_AUTHENTICATE, "x" + headers.get(HttpHeaders.WWW_AUTHENTICATE)); + log.debug("Prefixing {} header for Basic Auth with 'x' to prevent browser basic auth popup", + HttpHeaders.WWW_AUTHENTICATE); + } + return headers; + } + @Override public void close() throws IOException { diff --git a/solr/solr-ref-guide/src/authentication-and-authorization-plugins.adoc b/solr/solr-ref-guide/src/authentication-and-authorization-plugins.adoc index 89b027fd9be..3ed3951e4c1 100644 --- a/solr/solr-ref-guide/src/authentication-and-authorization-plugins.adoc +++ b/solr/solr-ref-guide/src/authentication-and-authorization-plugins.adoc @@ -165,7 +165,7 @@ When authentication is required the Admin UI will presented you with a login dia * `BasicAuthPlugin` -If your plugin of choice is not supported, you will have to interact with Solr sending HTTP requests instead of through the graphical user interface of the Admin UI. All operations supported by Admin UI can be performed through Solr's RESTful APIs. +If your plugin of choice is not supported, the Admin UI will still let you perform unrestricted operations, while for restricted operations you will need to interact with Solr by sending HTTP requests instead of through the graphical user interface of the Admin UI. All operations supported by Admin UI can be performed through Solr's RESTful APIs. == Securing Inter-Node Requests diff --git a/solr/webapp/web/index.html b/solr/webapp/web/index.html index 23b9dbd6e8e..6987af793df 100644 --- a/solr/webapp/web/index.html +++ b/solr/webapp/web/index.html @@ -144,9 +144,9 @@ limitations under the License.