[
https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16425721#comment-16425721
]
Jan Høydahl commented on SOLR-7896:
-----------------------------------
{quote}If you enable authentication (and require it for everything), running
the admin UI actually does prompt for authentication. But it's not the UI
*itself* that needs it – when it asks for username/password, it is actually
requests to Solr's API (being made by your browser – not the Solr server) that
are being authenticated.
{quote}
Your statement may be true for Basic Authentication since most browsers have
ootb support for that scheme. But for Auth plugin X which may not even use
username/passwd at all but some other scheme, your browser will simply display
the 401 error message or some exception or whatever. And this will happen only
once you click something in the UI that triggers a request to Solr, which is
not a very good user experience. But since Solr allows for e.g. wide open
search while admin or write requests require authentication, the UI should
probably display the login box on demand whenever it gets a 401 from the server.
The HTTP 401 response when user tries to access a protected path will also
include a {{WWW-Authenticate}} header which tells the client (AdminUI) what
type of auth plugin is used. If we later on add support for more than one auth
scheme at the same time, then Solr can output a list of supported ones:
{code:java}
WWW-Authenticate: Basic realm="solr"
WWW-Authenticate: Bearer realm="solr"
WWW-Authenticate: OAuth realm="solr"
{code}
I think the first phase of Admin UI login/auth support will be
# Add a widget to the top/bottom of Admin UI screen that shows auth state,
e.g.: {{User: George}}
# Add interceptor for AJAX responses from Solr, identifying
{{WWW-Autenticate}} header. If no header, just continue as before
# Add parsing of WWW-Authenticate header: If header(s) exist, check whether
Admin UI supports one of the auth schemes, if not display error message that
Admin UI is not compatible with Auth XX, otherwise trigger login screen for
given scheme
# Implement login screen for Basic Auth (simple login form) along with an
AngularJS request interceptor that adds the {{Authorization: Basic ...}} header
on all requests
# Implement caching of user credentials in the Webapp
# Try to make it possible for Auth plugins to provide AdminUI login screens
and request interceptor implementations, as some sort of HTML5 plugins living
inside the jar file??
> Add a login page for Solr Administrative Interface
> --------------------------------------------------
>
> Key: SOLR-7896
> URL: https://issues.apache.org/jira/browse/SOLR-7896
> Project: Solr
> Issue Type: New Feature
> Components: Admin UI, security
> Affects Versions: 5.2.1
> Reporter: Aaron Greenspan
> Priority: Major
> Labels: authentication, login, password
>
> Out of the box, the Solr Administrative interface should require a password
> that the user is required to set.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
