indexer: user/password of the -U url not used to connect to Tomcat

[sbouhnik]

Describe the bug
When setting user/password in the URL of the -U parameter, it's not used by the indexer to connect to Tomcat.

To Reproduce
Enable authentication in Tomcat and try to generate index

Expected behavior
Index working with authentication activated

[vladak]

Is the indexer running on the same machine as the web app ? If yes, see https://github.com/oracle/opengrok/wiki/Authorization-based-on-HTTP-Basic-Authentication , in particular the part about passing API calls. If not, see the same plus https://github.com/oracle/opengrok/wiki/Web-services#authenticationauthorization

[sbouhnik]

Hi Vladimir, Thanks for the answer But I think the issue is not in the config of tomcat. When I'm connecting from a web client not in the local system it works. Or if I'm passing the Basic authentication in curl it works also. The issue is that the indexer is not filling the 'Authorization: Basic <>' in the request therefore it's rejected by tomcat. Regards, Shmuel web: https://wdp.harchoma.org.il/

…

On Tue, 29 Mar 2022 at 13:44, Vladimir Kotal ***@***.***> wrote: Is the indexer running on the same machine as the web app ? If yes, see https://github.com/oracle/opengrok/wiki/Authorization-based-on-HTTP-Basic-Authentication , in particular the part about passing API calls. If not, see the same plus https://github.com/oracle/opengrok/wiki/Web-services#authenticationauthorization — Reply to this email directly, view it on GitHub <#3911 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGCRWD2HT7RPC2UOO4BPSBDVCLNJPANCNFSM5ROJSTVQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[vladak]

How does your authentication setup look like ? In the above mentioned wiki there is a piece of configuration that exempts the API end points (one of which is used by the indexer) from being subject to the authentication checks, specifically this part:

<security-constraint>
    <web-resource-collection>                                               
        <web-resource-name>API endpoints are checked separately by the web app</web-resource-name>
        <url-pattern>/api/*</url-pattern>                                   
    </web-resource-collection>                                              
</security-constraint>

This is fine to do because OpenGrok performs checks of most of the API locations by itself (as is actually noted in the web resource name) - however see the rest of the configuration on the wiki.

My point is that the basic auth information should not be necessary for the indexer to successfully reach the web app, if everything is configured correctly.