Github user d2r commented on a diff in the pull request:
https://github.com/apache/storm/pull/2886#discussion_r226363943
--- Diff: docs/SECURITY.md ---
@@ -50,17 +50,33 @@ The UI and logviewer processes provide a way to not
only see what a cluster is
doing, but also manipulate running topologies. In general these processes
should
not be exposed except to users of the cluster.
-Some form of Authentication is typically required, with using java servlet
filters
+Some form of Authentication is typically required, and can be done using a
java servlet filter
```yaml
ui.filter: "filter.class"
ui.filter.params: "param1":"value1"
logviewer.filter: "filter.class"
logviewer.filter.params: "param1":"value1"
```
-or by restricting the UI/log viewers ports to only accept connections from
local
-hosts, and then front them with another web server, like Apache httpd,
that can
-authenticate/authorize incoming connections and
+
+The `ui.filter` is an instance of `javax.servlet.Filter` that is intended
to
+filter all incomming requests to the UI and authenticate the request
mapping
--- End diff --
`incoming`
---
