[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16444859#comment-16444859 ]
Jan Høydahl commented on SOLR-7896: ----------------------------------- {quote}But now when I test I get the browser prompt on every single load of the Admin UI front page, triggered by the browser trying to load a static file. {quote} Found it. In {{web.xml}} we have an {{excludePatterns}} list that tries to short circuit SolrDispatchFilter/HttpSolrCall for static files: {quote}Exclude patterns is a list of directories that would be short circuited by the SolrDispatchFilter. It includes all Admin UI related static content. NOTE: It is NOT a pattern but only matches the start of the HTTP ServletPath. {quote} However, after the introduction of Authentication (committed four days after the excludePatterns actually, at 2015-05-19), the authentication logic is ran *before* the _excludePatterns_ check, causing e.g. BasicAuthPlugin to request authentication through {{WWW-Authenticate}} headers. See relevant code in screenshot below: !dispatchfilter-code.png|width=550! Moving the short circuit logic before {{authenticateRequest()}} fixed this part. Now the browser is allowed to load all static resources even if BasicAuth with blockUnknown=true is enabled. But the "/" and "/solr/" endpoints would still trigger authentication so I added an exclusion rule in {{authenticateRequest()}} right after the check for PKI path exclusion. > Add a login page for Solr Administrative Interface > -------------------------------------------------- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security > Affects Versions: 5.2.1 > Reporter: Aaron Greenspan > Assignee: Jan Høydahl > Priority: Major > Labels: authentication, login, password > Attachments: dispatchfilter-code.png > > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org