[
https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16444820#comment-16444820
]
Gus Heck commented on SOLR-7896:
--------------------------------
{quote}Authenticating the admin UI while leaving the API unprotected is only an
illusion of security. Everything the admin UI does can be done directly, using
the API.
{quote}
[~elyograg] We are on the same page, and if you took anything I said to be
recommending such a configuration, then my prose was unclear :).
What I do advocate is that the html pages (except maybe a special login page?)
be similarly protected, not because they require protection for security
reasons, but because a set of non-functional html pages that don't work
properly without login can only confuse the user if rendered. We should only
show the user pages that can provide full functionality.
A login/landing page is much more friendly than the standard browser basic auth
pop-up so I'd say there's some value in that too, and it would potentially
allow for a consistent experience across any auth mechanism that didn't
fundamentally require a redirect to an external auth provider login.
I do think it would be good to have Solr password protected by default, with
command line switch to start it in legacy "open" mode if the server has not
previously protected by authentication. The "please set a password" dance on
first startup would also be user friendly, and this should set the password for
both the UI files and the API. If solr has been configured to run it's auth vs
Kerberos, LDAP, SiteMinder or a database etc, the config for that should
specify if solr has write access to that backend and skip the the set password
dance if access is read-only.
{quote}By the time Solr starts, all interface binding is already done by the
servlet container.
{quote}
As far as things happening during startup of "the web container" that should be
entirely under our control now since we now supply the jetty container. Running
as a war file in arbitrary containers is not supported anymore.
> Add a login page for Solr Administrative Interface
> --------------------------------------------------
>
> Key: SOLR-7896
> URL: https://issues.apache.org/jira/browse/SOLR-7896
> Project: Solr
> Issue Type: New Feature
> Components: Admin UI, security
> Affects Versions: 5.2.1
> Reporter: Aaron Greenspan
> Assignee: Jan Høydahl
> Priority: Major
> Labels: authentication, login, password
>
> Now that Solr supports Authentication plugins, the missing piece is to be
> allowed access from Admin UI when authentication is enabled. For this we need
> * Some plumbing in Admin UI that allows the UI to detect 401 responses and
> redirect to login page
> * Possibility to have multiple login pages depending on auth method and
> redirect to the correct one
> * [AngularJS HTTP
> interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to
> add correct HTTP headers on all requests when user is logged in
> This issue should aim to implement some of the plumbing mentioned above, and
> make it work with Basic Auth.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
