Certificate Authentication Plugin
Solr can support extracting the user principal out of the client’s certificate with the use of the
For certificate authentication, the
security.json file must have an
authentication part which defines the class being used for authentication.
security.json is shown below:
Parts of certificate validation, including verifying the trust chain and peer hostname/ip address will be done by the web servlet container before the request ever reaches the authentication plugin. These checks are described in the Enabling SSL section.
This plugin provides no additional checking beyond what has been configured via SSL properties.
This plugin will configure the user principal for the request based on the X500 subject present in the client certificate. Authorization plugins will need to accept and handle the full subject name, for example:
CN=Solr User,OU=Engineering,O=Example Inc.,C=US
A list of possible tags that can be present in the subject name is available in RFC-5280, Section 184.108.40.206. Values may have spaces, punctuation, and other characters.
It is best practice to verify the actual contents of certificates issued by your trusted certificate authority before configuring authorization based on the contents.
With certificate authentication enabled, all client requests must include a valid certificate. This is identical to the client requirements when using SSL.