[
https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16444859#comment-16444859
]
Jan Høydahl commented on SOLR-7896:
-----------------------------------
{quote}But now when I test I get the browser prompt on every single load of the
Admin UI front page, triggered by the browser trying to load a static file.
{quote}
Found it. In {{web.xml}} we have an {{excludePatterns}} list that tries to
short circuit SolrDispatchFilter/HttpSolrCall for static files:
{quote}Exclude patterns is a list of directories that would be short circuited
by the
SolrDispatchFilter. It includes all Admin UI related static content.
NOTE: It is NOT a pattern but only matches the start of the HTTP ServletPath.
{quote}
However, after the introduction of Authentication (committed four days after
the excludePatterns actually, at 2015-05-19), the authentication logic is ran
*before* the _excludePatterns_ check, causing e.g. BasicAuthPlugin to request
authentication through {{WWW-Authenticate}} headers. See relevant code in
screenshot below:
!dispatchfilter-code.png|width=550!
Moving the short circuit logic before {{authenticateRequest()}} fixed this
part. Now the browser is allowed to load all static resources even if BasicAuth
with blockUnknown=true is enabled. But the "/" and "/solr/" endpoints would
still trigger authentication so I added an exclusion rule in
{{authenticateRequest()}} right after the check for PKI path exclusion.
> Add a login page for Solr Administrative Interface
> --------------------------------------------------
>
> Key: SOLR-7896
> URL: https://issues.apache.org/jira/browse/SOLR-7896
> Project: Solr
> Issue Type: New Feature
> Components: Admin UI, security
> Affects Versions: 5.2.1
> Reporter: Aaron Greenspan
> Assignee: Jan Høydahl
> Priority: Major
> Labels: authentication, login, password
> Attachments: dispatchfilter-code.png
>
>
> Now that Solr supports Authentication plugins, the missing piece is to be
> allowed access from Admin UI when authentication is enabled. For this we need
> * Some plumbing in Admin UI that allows the UI to detect 401 responses and
> redirect to login page
> * Possibility to have multiple login pages depending on auth method and
> redirect to the correct one
> * [AngularJS HTTP
> interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to
> add correct HTTP headers on all requests when user is logged in
> This issue should aim to implement some of the plumbing mentioned above, and
> make it work with Basic Auth.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
