It has a cost :) I think it'd make sense to restrict access to /admin and not really bother about .css/js etc. So if a user tries to access an image from the image from the admin UI directly, the request would go through but that should be fine.
On Tue, Nov 10, 2015 at 12:22 PM, Upayavira <u...@odoko.co.uk> wrote: > Is the authentication plugin that expensive? > > I can help by minifying the UI down to a smaller number of CSS/JS/etc > files :-) > > It may be overkill, but it would also give better experience. And isn't > that what most applications do? Check authentication tokens on every > request? > > Upayavira > > On Tue, Nov 10, 2015, at 07:33 PM, Anshum Gupta wrote: > > The reason why we bypass that is so that we don't hit the authentication > > plugin for every request that comes in for static content. I think we > > could > > call the authentication plugin for that but that'd be an overkill. Better > > experience ? yes > > > > On Tue, Nov 10, 2015 at 11:24 AM, Upayavira <u...@odoko.co.uk> wrote: > > > > > Noble, > > > > > > I get that a UI which is open source does not benefit from ACL control > - > > > we're not giving away anything that isn't public (other than perhaps > > > info that could be used to identify the version of Solr, or even the > > > fact that it *is* solr). > > > > > > However, from a user experience point of view, requiring credentials to > > > see the UI would be more conventional, and therefore lead to less > > > confusion. Is it possible for us to protect the UI static files, only > > > for the sake of user experience, rather than security? > > > > > > Upayavira > > > > > > On Tue, Nov 10, 2015, at 12:01 PM, Noble Paul wrote: > > > > The admin UI is a bunch of static pages . We don't let the ACL > control > > > > static content > > > > > > > > you must blacklist all the core/collection apis and it is pretty much > > > > useless for anyone to access the admin UI (w/o the credentials , of > > > > course) > > > > > > > > On Tue, Nov 10, 2015 at 7:08 AM, 马柏樟 <mabaizh...@126.com> wrote: > > > > > Hi, > > > > > > > > > > After I configure Authentication with Basic Authentication Plugin > and > > > Authorization with Rule-Based Authorization Plugin, How can I prevent > the > > > strangers from visiting my solr by browser? For example, if the > stranger > > > visit the http://(my host):8983, the browser will pop up a window and > > > says "the server http://(my host):8983 requires a username and > > > password...." > > > > > > > > > > > > > > > > -- > > > > ----------------------------------------------------- > > > > Noble Paul > > > > > > > > > > > -- > > Anshum Gupta > -- Anshum Gupta
