[
https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16444877#comment-16444877
]
Jan Høydahl commented on SOLR-7896:
-----------------------------------
{quote}What I do advocate is that the html pages (except maybe a special login
page?) be similarly protected, not because they require protection for security
reasons, but because a set of non-functional html pages that don't work
properly without login can only confuse the user if rendered. We should only
show the user pages that can provide full functionality.
{quote}
Exactly. What I'm currently about to do in this issue is to add that login
page. But since it is fully legal to configure Solr's authentication such that
you only protect e.g. {{security-edit}} or some admin resources, while the rest
of the system can be used anonymously, the UI should not request login until it
is actually required.
That's what the {{WWW-Authenticate}} headers are all about. Solr auth plugins
will already today send such headers to the client if one tries to access a
protected resource. I have implemented an [AngularJS http
interceptor|https://docs.angularjs.org/api/ng/service/$http#interceptors] that
looks for code 401 and this header. The idea is that if an Ajax call results in
401 then we'll redirect user to the login page. And we'll choose the login page
based on the header, i.e. {{Authorization: Basic xxx}} header will cause the
login page for basic auth etc.
Actually it turned out not to be as straight-forward, since the browser
actually throws up its login dialogue before our Angular app even gets the
chance to look at the HTTP response. The solution is outlined in [this blog
post|http://olefriis.blogspot.no/2014/01/http-basic-authentication-in-angularjs.html]
and involves sending the {{X-Requested-With: XMLHttpRequest}} header from
Admin UI and conditionally changing the {{WWW-Authenticate}} header for
BasicAuth from {{Basic xxx}} to e.g. {{xBasic xxx}} so that our Angular
intercept code understands it but not the browser. For non-Ajax clients you
stil get the ordinary header.
> Add a login page for Solr Administrative Interface
> --------------------------------------------------
>
> Key: SOLR-7896
> URL: https://issues.apache.org/jira/browse/SOLR-7896
> Project: Solr
> Issue Type: New Feature
> Components: Admin UI, security
> Affects Versions: 5.2.1
> Reporter: Aaron Greenspan
> Assignee: Jan Høydahl
> Priority: Major
> Labels: authentication, login, password
> Attachments: dispatchfilter-code.png
>
>
> Now that Solr supports Authentication plugins, the missing piece is to be
> allowed access from Admin UI when authentication is enabled. For this we need
> * Some plumbing in Admin UI that allows the UI to detect 401 responses and
> redirect to login page
> * Possibility to have multiple login pages depending on auth method and
> redirect to the correct one
> * [AngularJS HTTP
> interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to
> add correct HTTP headers on all requests when user is logged in
> This issue should aim to implement some of the plumbing mentioned above, and
> make it work with Basic Auth.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
