Thanks. Lions like the «all» permission actually blocks access to the AdminGui servlet so we won’t even serve the static UI files :)
Please open a JIRA issue for this. You can open another JIRA for the “empty password” issue. We should be consistent so if we allow creation of user with empty pw then it should be possible to enter it. Or we could disallow empty pw in the API :) Jan Høydahl > 23. mar. 2019 kl. 18:37 skrev a...@sigil.red: > > Hi > > Here is the curl: >> $ curl -I http://localhost:8080/solr/ >> HTTP/1.1 401 Unauthorized request, Response code: 401 >> Cache-Control: must-revalidate,no-cache,no-store >> Content-Type: text/html;charset=iso-8859-1 >> Content-Length: 299 > And the screenshot: https://i.imgur.com/PMTE3nR.png > > I'll also note that it's wonderfully easy to reproduce: > 1. unpack solr-8.0.0.zip > 2. copy the security.json example from > https://lucene.apache.org/solr/guide/7_7/basic-authentication-plugin.html > into server/solr/ and replace "name":"security-edit" with "name":"all" > 3. start with bin/solr -f -p 8080 > 4. open http://localhost:8080/ > > Thanks for looking into it! > > Best regards > > >> On 23/03/2019 19:03, Jan Høydahl wrote: >> Hi >> >> Can you take a screenshot of the 401 error page you see (without login form)? >> >> Also, perhaps you could do a curl -I (show headers) request to your Solr and >> show what headers that Solr returns instead of the www-authenticate header? >> >> Jan >> >>> 23. mar. 2019 kl. 15:34 skrev a...@sigil.red: >>> >>> Hi >>> >>> SOLR-7896 made some changes to the admin ui login. After the changes I can >>> no longer log in at all. >>> >>> I'm running standalone solr 7.7 (same with 8.0) with the following >>> security.json: >>> >>>> { >>>> "authentication": { >>>> "class": "solr.BasicAuthPlugin", >>>> "blockUnknown": true, >>>> "credentials": { >>>> "solr": "<hash for empty password string>" >>>> }, >>>> }, >>>> "authorization": { >>>> "class": "solr.RuleBasedAuthorizationPlugin", >>>> "permissions": [ >>>> { >>>> "name": "all", >>>> "role": "admin" >>>> } >>>> ], >>>> "user-role": { >>>> "solr": "admin" >>>> } >>>> } >>>> } >>> Opening the UI at http://localhost:8080/solr/ shows an error page with 401. >>> The login page is not displayed because of the "all" permission being >>> required. The browser's basic auth popup is not shown because the >>> WWW-Authenticate header is not present. Changing the >>> RuleBasedAuthorizationPlugin required permission from "all" to >>> "security-edit" makes the login page appear. >>> >>> The above basic auth + "all" permission was working ok with solr 7.5, but >>> no longer works with 7.7+. Is this behaviour intended and/or documented? >>> >>> Another issue is with using empty password strings. This used to work with >>> the browser's native basic auth, but not by the login page ("Password is >>> required" error). Is there some way to use an empty password with the login >>> page? If not, is there a way to continue using the browser's native basic >>> auth? >>> >>> Best regards >>>
