Skip to content

Commit fe81989

Browse files
committed
SOLR-18215 JWT auth module now defaults to blockUnknown=true (#4373)
(cherry picked from commit 6154e2a)
1 parent ce059dc commit fe81989

5 files changed

Lines changed: 28 additions & 3 deletions

File tree

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
title: JWT Authentication `blockUnknown` now defaults to `true`, blocking unauthenticated requests by default. Previously the code defaulted to `false` despite the reference guide documenting `true`. Users relying on pass-through must explicitly set `blockUnknown` to `false` in their security.json.
2+
type: changed
3+
authors:
4+
- name: Jan Høydahl
5+
url: https://home.apache.org/phonebook.html?uid=janhoy
6+
links:
7+
- name: SOLR-18215
8+
url: https://issues.apache.org/jira/browse/SOLR-18215

solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -171,7 +171,7 @@ public void init(Map<String, Object> pluginConfig) {
171171
}
172172

173173
blockUnknown =
174-
Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_BLOCK_UNKNOWN, false)));
174+
Boolean.parseBoolean(String.valueOf(pluginConfig.getOrDefault(PARAM_BLOCK_UNKNOWN, true)));
175175
requireIssuer =
176176
Boolean.parseBoolean(
177177
String.valueOf(pluginConfig.getOrDefault(PARAM_REQUIRE_ISSUER, "true")));

solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/JWTAuthPluginTest.java

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -483,6 +483,15 @@ public void noHeaderBlockUnknown() {
483483
assertEquals(NO_AUTZ_HEADER, resp.getAuthCode());
484484
}
485485

486+
@Test
487+
public void noHeaderDefaultBlocksUnknown() {
488+
// blockUnknown defaults to true — omitting it must block requests without a JWT
489+
testConfig.remove("blockUnknown");
490+
plugin.init(testConfig);
491+
JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(null);
492+
assertEquals(NO_AUTZ_HEADER, resp.getAuthCode());
493+
}
494+
486495
@Test
487496
public void noHeaderNotBlockUnknown() {
488497
testConfig.put("blockUnknown", false);
@@ -510,6 +519,7 @@ public void wellKnownConfigNoHeaderPassThrough() {
510519
.toString();
511520
testConfig.put("wellKnownUrl", wellKnownUrl);
512521
testConfig.remove("jwk");
522+
testConfig.put("blockUnknown", false);
513523
plugin.init(testConfig);
514524
JWTAuthPlugin.JWTAuthenticationResponse resp = plugin.authenticate(null);
515525
assertEquals(PASS_THROUGH, resp.getAuthCode());

solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-10.adoc

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,12 @@ Former users of `solr.api.v2.enabled` looking to upgrade to Solr 10.1 or newer s
4343

4444
Users who deploy a proxy in front of Solr should also review this setup to ensure that it allows access to the v2 API root path, `/api`.
4545

46+
=== JWT Authentication
47+
48+
The `blockUnknown` setting in the JWT Authentication plugin now defaults to `true`, meaning requests without a valid JWT token are blocked by default.
49+
In Solr 10.0, the code default was `false` (pass-through), which contradicted the reference guide documentation that described `true` as the default.
50+
Users upgrading from 10.0 who relied on the pass-through behavior must explicitly set `"blockUnknown": false` in their `security.json`.
51+
4652
== Solr 10.0
4753

4854
=== Solr Jetty parameters

solr/webapp/web/js/angular/controllers/security.js

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -242,7 +242,7 @@ solrAdminApp.controller('SecurityController', function ($scope, $timeout, $cooki
242242
$scope.hideAll();
243243

244244
$scope.tls = false;
245-
$scope.blockUnknown = "false"; // default setting
245+
$scope.blockUnknown = "true"; // default setting
246246
$scope.realmName = "solr";
247247
$scope.forwardCredentials = "false";
248248
$scope.multiAuthWithBasic = false;
@@ -371,7 +371,8 @@ solrAdminApp.controller('SecurityController', function ($scope, $timeout, $cooki
371371

372372
//console.log(">> authn: "+JSON.stringify(authn));
373373

374-
$scope.blockUnknown = authn["blockUnknown"] === true ? "true" : "false";
374+
var blockUnknown = authn["blockUnknown"];
375+
$scope.blockUnknown = (blockUnknown === false || blockUnknown === "false") ? "false" : "true";
375376
$scope.forwardCredentials = authn["forwardCredentials"] === true ? "true" : "false";
376377

377378
if ("realm" in authn) {

0 commit comments

Comments
 (0)