[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16419090#comment-16419090 ]
Gus Heck commented on SOLR-7896: -------------------------------- {quote}but that risks adding a security risk. {quote} Yes that's my point I would think that whatever protects the admin UI should also protect the API's by default. More schemes creates more attack surface, noting that if (as you suggested above) basic auth allows admin UI access, then either that UI is completely functionless without additional Kerberos auth as well (your example) or the Basic Auth is sufficient for requests from the UI to access the api's (the UI accesses the api's via javascript Ajax requests, I believe)... I don't really like the idea of allowing 2 ways (one for admin and one for api), but if it's needed for some use case, my point is such a configuration should not be default. > Add a login page for Solr Administrative Interface > -------------------------------------------------- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security > Affects Versions: 5.2.1 > Reporter: Aaron Greenspan > Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org