[
https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16419090#comment-16419090
]
Gus Heck commented on SOLR-7896:
--------------------------------
{quote}but that risks adding a security risk.
{quote}
Yes that's my point I would think that whatever protects the admin UI should
also protect the API's by default. More schemes creates more attack surface,
noting that if (as you suggested above) basic auth allows admin UI access, then
either that UI is completely functionless without additional Kerberos auth as
well (your example) or the Basic Auth is sufficient for requests from the UI to
access the api's (the UI accesses the api's via javascript Ajax requests, I
believe)... I don't really like the idea of allowing 2 ways (one for admin and
one for api), but if it's needed for some use case, my point is such a
configuration should not be default.
> Add a login page for Solr Administrative Interface
> --------------------------------------------------
>
> Key: SOLR-7896
> URL: https://issues.apache.org/jira/browse/SOLR-7896
> Project: Solr
> Issue Type: New Feature
> Components: Admin UI, security
> Affects Versions: 5.2.1
> Reporter: Aaron Greenspan
> Priority: Major
> Labels: authentication, login, password
>
> Out of the box, the Solr Administrative interface should require a password
> that the user is required to set.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
