You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Jan Høydahl (JIRA)" <ji...@apache.org> on 2018/04/04 15:30:00 UTC
[jira] [Commented] (SOLR-7896) Add a login page for Solr
Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16425721#comment-16425721 ]
Jan Høydahl commented on SOLR-7896:
-----------------------------------
{quote}If you enable authentication (and require it for everything), running the admin UI actually does prompt for authentication. But it's not the UI *itself* that needs it – when it asks for username/password, it is actually requests to Solr's API (being made by your browser – not the Solr server) that are being authenticated.
{quote}
Your statement may be true for Basic Authentication since most browsers have ootb support for that scheme. But for Auth plugin X which may not even use username/passwd at all but some other scheme, your browser will simply display the 401 error message or some exception or whatever. And this will happen only once you click something in the UI that triggers a request to Solr, which is not a very good user experience. But since Solr allows for e.g. wide open search while admin or write requests require authentication, the UI should probably display the login box on demand whenever it gets a 401 from the server.
The HTTP 401 response when user tries to access a protected path will also include a {{WWW-Authenticate}} header which tells the client (AdminUI) what type of auth plugin is used. If we later on add support for more than one auth scheme at the same time, then Solr can output a list of supported ones:
{code:java}
WWW-Authenticate: Basic realm="solr"
WWW-Authenticate: Bearer realm="solr"
WWW-Authenticate: OAuth realm="solr"
{code}
I think the first phase of Admin UI login/auth support will be
# Add a widget to the top/bottom of Admin UI screen that shows auth state, e.g.: {{User: George}}
# Add interceptor for AJAX responses from Solr, identifying {{WWW-Autenticate}} header. If no header, just continue as before
# Add parsing of WWW-Authenticate header: If header(s) exist, check whether Admin UI supports one of the auth schemes, if not display error message that Admin UI is not compatible with Auth XX, otherwise trigger login screen for given scheme
# Implement login screen for Basic Auth (simple login form) along with an AngularJS request interceptor that adds the {{Authorization: Basic ...}} header on all requests
# Implement caching of user credentials in the Webapp
# Try to make it possible for Auth plugins to provide AdminUI login screens and request interceptor implementations, as some sort of HTML5 plugins living inside the jar file??
> Add a login page for Solr Administrative Interface
> --------------------------------------------------
>
> Key: SOLR-7896
> URL: https://issues.apache.org/jira/browse/SOLR-7896
> Project: Solr
> Issue Type: New Feature
> Components: Admin UI, security
> Affects Versions: 5.2.1
> Reporter: Aaron Greenspan
> Priority: Major
> Labels: authentication, login, password
>
> Out of the box, the Solr Administrative interface should require a password that the user is required to set.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org