You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# See https://github.com/apache/solr/blob/main/dev-docs/changelog.adoc
2
+
title: "JWT Authentication Plugin: correct documentation of `blockUnknown` default value (`false`, not `true`). See upgrade notes in the reference guide for more details."
Copy file name to clipboardExpand all lines: solr/solr-ref-guide/modules/deployment-guide/pages/jwt-authentication-plugin.adoc
+10-5Lines changed: 10 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,22 +37,27 @@ The simplest possible `security.json` for registering the plugin without configu
37
37
{
38
38
"authentication": {
39
39
"class":"solr.JWTAuthPlugin",
40
-
"blockUnknown":"false"
40
+
"blockUnknown":false
41
41
}
42
42
}
43
43
----
44
44
45
-
The plugin will by default require a valid JWT token for all traffic.
45
+
[WARNING]
46
+
====
47
+
Earlier versions of this documentation incorrectly stated that `blockUnknown` defaulted to `true`. The actual default is `false`, meaning requests without a JWT token are passed through unauthenticated. If you intend to require authentication for all requests, you must explicitly set `"blockUnknown": true` in your `security.json`.
48
+
====
49
+
50
+
By default, `blockUnknown` is `false`, so requests without a JWT token are passed through unauthenticated.
46
51
47
-
If the `blockUnknown` property is set to `false` as in the above example, it is possible to start configuring the plugin using unauthenticated REST API calls, which is further described in section <<Editing JWT Authentication Plugin Configuration>>.
52
+
With `blockUnknown` set to `false` (the default, as shown above), you can configure the plugin using unauthenticated REST API calls, which is further described in section <<Editing JWT Authentication Plugin Configuration>>.
48
53
49
54
== Configuration Parameters
50
55
51
56
//*TODO*: standard is not to put parameters in tables but use labeled lists instead
blockUnknown ; Set to `false` to if you need to perform configuration through REST API or if you use an Authorization Plugin and only want certain paths protected. By default all requests will require a token ; `true`
60
+
blockUnknown ; Set to `true` to require a valid JWT token for all requests. Set to `false` (the default) to allow unauthenticated requests through — useful when configuring via REST API or when an Authorization Plugin handles path-based protection ; `false`
56
61
realm ; Name of the authentication realm to echo back in HTTP 401 responses. Will also be displayed in Admin UI login page ; 'solr-jwt'
57
62
scope ; Whitespace separated list of valid scopes. If configured, the JWT access token MUST contain a `scope` claim with at least one of the listed scopes. Example: `solr:read solr:admin` ;
58
63
requireIss ; Fails requests that lacks an `iss` (issuer) claim ; `true`
@@ -167,7 +172,7 @@ Let's look at a more complex configuration, this time with two issuers configure
167
172
Let's comment on this config:
168
173
169
174
<1> Plugin class
170
-
<2> Make sure to block anyone without a valid token (this is also the default)
175
+
<2> Explicitly block anyone without a valid token (the default is `false`, so this must be set explicitly to enforce authentication)
171
176
<3> Fetch the user id from another claim than the default `sub`
172
177
<4> Require that the `foo` claim is one of "A" or "B" and that the `dept` claim is "IT"
173
178
<5> Require one of the scopes `solr:read`, `solr:write` or `solr:admin`
Copy file name to clipboardExpand all lines: solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
+8-1Lines changed: 8 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -97,6 +97,13 @@ The project normally doesn't remove functionality in a minor release, but we mad
97
97
98
98
+NOTE: The previous parse-context-based configuration (`parseContext.config`) is no longer supported. Tika parser-specific properties must now be configured directly on the Tika Server itself, rather than through Solr configuration. Please refer to the Tika Server documentation for details on how to set these properties.
The `blockUnknown` configuration parameter of the xref:deployment-guide:jwt-authentication-plugin.adoc[JWT Authentication Plugin] defaults to `false`, meaning requests without a JWT token are passed through unauthenticated.
103
+
Previous versions of the reference guide incorrectly stated the default was `true`.
104
+
105
+
* Users who relied on the (incorrectly documented) default of `true` should explicitly add `"blockUnknown": true` to their `authentication` block in `security.json` to preserve the intended behaviour.
106
+
100
107
== Solr 9.10
101
108
102
109
=== SolrJ
@@ -389,7 +396,7 @@ to switch back if needed.
389
396
* Upgrade to Zookeeper 3.7, allowing for TLS protected ZK communication.
390
397
* All request handlers support security permissions. Users may have to adapt their `security.json`.
391
398
* Ability to disable admin UI through a system property.
392
-
* The property `blockUnknown` in the `BasicAuthPlugin` and the `JWTAuthPlugin` now defaults to `true` instead of `false`. This change is backward incompatible. If you need the pre-9.0 default behavior, you need to explicitly set `blockUnknown:false` in `security.json`.
399
+
* The property `blockUnknown` in the `BasicAuthPlugin` [.line-through]#and the `JWTAuthPlugin`# now defaults to `true` instead of `false`. This change is backward incompatible. If you need the pre-9.0 default behavior, you need to explicitly set `blockUnknown:false` in `security.json`.
393
400
* Solr now runs with the Java security manager enabled by default. Hadoop users may need to disable this.
394
401
* Solr now binds to localhost network interface by default for better out of the box security.
395
402
Administrators that need Solr exposed more broadly can change the `SOLR_JETTY_HOST` property in their Solr include (`solr.in.sh`/`solr.in.cmd`) file.
0 commit comments