Skip to content

SOLR-18215 JWT auth module now defaults to blockUnknown=true#4373

Open
janhoy wants to merge 5 commits intoapache:mainfrom
janhoy:SOLR-18215-jwt-auth-blockUnknown-default-true
Open

SOLR-18215 JWT auth module now defaults to blockUnknown=true#4373
janhoy wants to merge 5 commits intoapache:mainfrom
janhoy:SOLR-18215-jwt-auth-blockUnknown-default-true

Conversation

@janhoy
Copy link
Copy Markdown
Contributor

@janhoy janhoy commented Apr 28, 2026

https://issues.apache.org/jira/browse/SOLR-18215

Changes the default value of the blockUnknown setting in the JWT Authentication plugin from false to true.

A documentation bug introduced in v9.0 caused the reference guide to state true as the default, while the code has always defaulted to false (pass-through). Rather than reverting the docs as first proposed in #4337, this PR modifies the default to true which we planned to do at some point anyway, as this is the more secure and least surprising default.

Changes

  • JWTAuthPlugin.java — default for blockUnknown changed from false to true
  • security.js (Admin UI) — initial display state and the fallback when blockUnknown is absent from security.json both corrected to default to true, so the checkbox reflects the actual plugin behavior
  • JWTAuthPluginTest.javawellKnownConfigNoHeaderPassThrough test now sets blockUnknown: false explicitly (it was the only test relying on the implicit false default)
  • major-changes-in-solr-10.adoc — added a note under the Solr 10.1 section documenting the behavior change and the documentation error in 10.0

Upgrade impact

Users who configured JWT auth in Solr 10.0 without explicitly setting blockUnknown and relied on unauthenticated requests passing through must add "blockUnknown": false to their security.json after upgrading.

Note: solr auth enable does not yet support JWT, so there is no CLI impact.

janhoy added 2 commits April 28, 2026 09:58
@janhoy
JWT auth: change blockUnknown default from false to true
5695216 
The ref-guide documented true as the default, but the code defaulted to
false, allowing unauthenticated pass-through. Align the implementation
with the documented security behavior.

Fix the one unit test (wellKnownConfigNoHeaderPassThrough) that implicitly
relied on the old false default by making its blockUnknown=false explicit.

Add a note under Solr 10.1 in major-changes-in-solr-10.adoc so upgraders
from 10.0 know to set blockUnknown: false if they need pass-through.
@janhoy
SOLR-18215: Add changelog entry for blockUnknown default change
b4204c0
@janhoy janhoy requested a review from Copilot April 28, 2026 08:13
Copilot AI reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Solr’s JWT Authentication plugin to use a more secure default behavior by blocking requests that don’t include a valid JWT, and aligns UI/docs/tests/changelog with this change.

Changes:

  • Change JWTAuthPlugin blockUnknown default from false (pass-through) to true (block by default).
  • Update Admin UI controller logic to treat missing blockUnknown as true.
  • Update one JWT auth test and add upgrade note + changelog entry documenting upgrade impact.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
solr/webapp/web/js/angular/controllers/security.js Adjusts Admin UI default and fallback logic for blockUnknown.
solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-10.adoc Documents the default behavior change and upgrade impact.
solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/JWTAuthPluginTest.java Makes pass-through behavior explicit in the one test that relied on the old implicit default.
solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java Changes plugin default to block unauthenticated requests by default.
changelog/unreleased/SOLR-18215-jwt-auth-blockUnknown-default-true.yml Adds an unreleased changelog entry for the behavior change.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-10.adoc Outdated
Comment thread solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java
Comment thread solr/webapp/web/js/angular/controllers/security.js Outdated
@janhoy janhoy mentioned this pull request Apr 28, 2026
Open
janhoy and others added 3 commits April 28, 2026 10:51
@janhoy
Update solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-…
b2776ad 
…in-solr-10.adoc

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@janhoy
Update solr/webapp/web/js/angular/controllers/security.js
f9aa38a 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@janhoy
Add a test
6f31790
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dsmiley dsmiley Awaiting requested review from dsmiley

@gerlowskija gerlowskija Awaiting requested review from gerlowskija

@gus-asf gus-asf Awaiting requested review from gus-asf

Assignees

No one assigned

Labels

admin-ui cat:security documentation Improvements or additions to documentation module:jwt-auth tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@janhoy