[
https://issues.apache.org/jira/browse/SOLR-17659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17925320#comment-17925320
]
Gus Heck commented on SOLR-17659:
---------------------------------
I suspect you probably already intend it but to be explicit I think we also
want these criteria.
* Authentication is not required to see the login form (pretty obvious)
* _*Only*_ the login form and it's dedicated images/js/css can be viewed
without authentication, no other services or files are available (and no info
useful to attackers about the version of solr or jetty etc is exposed)
Additionally I think rather than "basic auth" this should work with "whatever
auth is configured for solr as a whole" So if they are using JWT, the login
should redirect to the JWT token provider login, and if they have the
appropriate token already, it should not show up.
I think the best strategy is to have this be an entirely separate application
context so that it just simply has no access to any solr code at all, and have
a servlet filter around the solr stuff that redirects to it if authentication
is not satisfied. I know this is pretty far out of the UI realm, but login page
design really has to work with a backend, and the way we do it now we are
already well into SolrDispatchFilter before auth is checked.... which makes it
hard to protect the UI in the same manner as the services.
Finally in the design I don't understand "back" or what Start Screen would be
in the criteria above. If authentication is enabled, there should be nothing
visible other than the login screen (and it's required resources).
> Implement basic authentication in Admin UI
> ------------------------------------------
>
> Key: SOLR-17659
> URL: https://issues.apache.org/jira/browse/SOLR-17659
> Project: Solr
> Issue Type: New Feature
> Components: Admin UI
> Reporter: Christos Malliaridis
> Priority: Major
> Labels: new-ui, ui
>
> In the new UI one of the key features that is not implemented yet is user
> authentication. In order to secure and securily access Solr, the user should
> be able to authenticate against a Solr instance with basic credentials.
> h2. Task
> Implement basic user authentication (with credentials) according to the [new
> designs|https://www.figma.com/design/VdbEfcWQ8mirFNquBzbPk2/Apache-Solr-Admin-UI-v2-Concept?node-id=1190-388&t=vMgOa9QlzQZSdjLf-1].
> h2. Acceptance Criteria
> - The user can access a Solr instance that has user authentication enabled
> - The user can at least authenticate with credentials (basic auth)
> - The credentials form is displayed after the user has established a
> connection with a Solr instance, that is, after a Solr instance was found
> - The user can return to the start screen where the Solr URL was provided, if
> he decides to abort the authentication step
> - The user is no longer redirected to the dashboard or any other screen if
> user authentication is required
> - The credentials are used for any subsequent request
> h2. Additional Information
> The support for additional authentication options does not have to be
> addressed in this issue. If it proves to be straight-forward, feel free to
> implement additional auth options as well.
> The credentials do not have to survive an application restart (desktop).
> Storing credentials securely will be addressed in a separate issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
