The reason why we bypass that is so that we don't hit the authentication plugin for every request that comes in for static content. I think we could call the authentication plugin for that but that'd be an overkill. Better experience ? yes
On Tue, Nov 10, 2015 at 11:24 AM, Upayavira <u...@odoko.co.uk> wrote: > Noble, > > I get that a UI which is open source does not benefit from ACL control - > we're not giving away anything that isn't public (other than perhaps > info that could be used to identify the version of Solr, or even the > fact that it *is* solr). > > However, from a user experience point of view, requiring credentials to > see the UI would be more conventional, and therefore lead to less > confusion. Is it possible for us to protect the UI static files, only > for the sake of user experience, rather than security? > > Upayavira > > On Tue, Nov 10, 2015, at 12:01 PM, Noble Paul wrote: > > The admin UI is a bunch of static pages . We don't let the ACL control > > static content > > > > you must blacklist all the core/collection apis and it is pretty much > > useless for anyone to access the admin UI (w/o the credentials , of > > course) > > > > On Tue, Nov 10, 2015 at 7:08 AM, 马柏樟 <mabaizh...@126.com> wrote: > > > Hi, > > > > > > After I configure Authentication with Basic Authentication Plugin and > Authorization with Rule-Based Authorization Plugin, How can I prevent the > strangers from visiting my solr by browser? For example, if the stranger > visit the http://(my host):8983, the browser will pop up a window and > says "the server http://(my host):8983 requires a username and > password...." > > > > > > > > -- > > ----------------------------------------------------- > > Noble Paul > -- Anshum Gupta