Everything requires explicit rules, if you wish to protect "/update/*" create a permission with name "update" and assign a role for the same. If you don't have an explicit rule, those paths are accessible by all
On Wed, Nov 18, 2015 at 8:10 PM, Jan Høydahl <jan....@cominvent.com> wrote: > I tried out BasicAuthPlugin today. > Surprised that not admin UI is protected. > But even more surprised that only /select seems to be protected for not > logged in users. > I can create collections and /update documents without being prompted for pw. > > My security.json is https://gist.github.com/janhoy/d18854c75461816fb947 > > -- > Jan Høydahl, search solution architect > Cominvent AS - www.cominvent.com > >> 18. nov. 2015 kl. 14.54 skrev Noble Paul <noble.p...@gmail.com>: >> >> As of now the admin-ui calls are not protected. The static calls are >> served by jetty and it bypasses the authentication mechanism >> completely. If the admin UI relies on some API call which is served by >> Solr. >> The other option is to revamp the framework to take care of admin UI >> (static content) as well. This would be cleaner solution >> >> >> On Wed, Nov 18, 2015 at 2:32 PM, Upayavira <u...@odoko.co.uk> wrote: >>> Not sure I quite understand. >>> >>> You're saying that the cost for the UI is not large, but then suggesting >>> we protect just one resource (/admin/security-check)? >>> >>> Why couldn't we create the permission called 'admin-ui' and protect >>> everything under /admin/ui/ for example? Along with the root HTML link >>> too. >>> >>> Upayavira >>> >>> On Wed, Nov 18, 2015, at 07:46 AM, Noble Paul wrote: >>>> The authentication plugin is not expensive if you are talking in the >>>> context of admin UI. After all it is used not like 100s of requests >>>> per second. >>>> >>>> The simplest solution would be >>>> >>>> provide a well known permission name called "admin-ui" >>>> >>>> ensure that every admin page load makes a call to some resource say >>>> "/admin/security-check" >>>> >>>> Then we can just protect that . >>>> >>>> The only concern thatI have is the false sense of security it would >>>> give to the user >>>> >>>> But, that is a different point altogether >>>> >>>> On Wed, Nov 11, 2015 at 1:52 AM, Upayavira <u...@odoko.co.uk> wrote: >>>>> Is the authentication plugin that expensive? >>>>> >>>>> I can help by minifying the UI down to a smaller number of CSS/JS/etc >>>>> files :-) >>>>> >>>>> It may be overkill, but it would also give better experience. And isn't >>>>> that what most applications do? Check authentication tokens on every >>>>> request? >>>>> >>>>> Upayavira >>>>> >>>>> On Tue, Nov 10, 2015, at 07:33 PM, Anshum Gupta wrote: >>>>>> The reason why we bypass that is so that we don't hit the authentication >>>>>> plugin for every request that comes in for static content. I think we >>>>>> could >>>>>> call the authentication plugin for that but that'd be an overkill. Better >>>>>> experience ? yes >>>>>> >>>>>> On Tue, Nov 10, 2015 at 11:24 AM, Upayavira <u...@odoko.co.uk> wrote: >>>>>> >>>>>>> Noble, >>>>>>> >>>>>>> I get that a UI which is open source does not benefit from ACL control - >>>>>>> we're not giving away anything that isn't public (other than perhaps >>>>>>> info that could be used to identify the version of Solr, or even the >>>>>>> fact that it *is* solr). >>>>>>> >>>>>>> However, from a user experience point of view, requiring credentials to >>>>>>> see the UI would be more conventional, and therefore lead to less >>>>>>> confusion. Is it possible for us to protect the UI static files, only >>>>>>> for the sake of user experience, rather than security? >>>>>>> >>>>>>> Upayavira >>>>>>> >>>>>>> On Tue, Nov 10, 2015, at 12:01 PM, Noble Paul wrote: >>>>>>>> The admin UI is a bunch of static pages . We don't let the ACL control >>>>>>>> static content >>>>>>>> >>>>>>>> you must blacklist all the core/collection apis and it is pretty much >>>>>>>> useless for anyone to access the admin UI (w/o the credentials , of >>>>>>>> course) >>>>>>>> >>>>>>>> On Tue, Nov 10, 2015 at 7:08 AM, 马柏樟 <mabaizh...@126.com> wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> After I configure Authentication with Basic Authentication Plugin and >>>>>>> Authorization with Rule-Based Authorization Plugin, How can I prevent >>>>>>> the >>>>>>> strangers from visiting my solr by browser? For example, if the stranger >>>>>>> visit the http://(my host):8983, the browser will pop up a window and >>>>>>> says "the server http://(my host):8983 requires a username and >>>>>>> password...." >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> ----------------------------------------------------- >>>>>>>> Noble Paul >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Anshum Gupta >>>> >>>> >>>> >>>> -- >>>> ----------------------------------------------------- >>>> Noble Paul >> >> >> >> -- >> ----------------------------------------------------- >> Noble Paul > -- ----------------------------------------------------- Noble Paul
