From 280f67927e7590c40b1d5f2960b9c6c7d21d6b5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Wed, 12 Dec 2018 10:35:15 +0100 Subject: [PATCH] SOLR-7896: Add a login page to Admin UI, with initial support for Basic Auth --- solr/CHANGES.txt | 2 + solr/NOTICE.txt | 6 + .../apache/solr/security/BasicAuthPlugin.java | 43 +++- .../Sha256AuthenticationProvider.java | 7 +- .../solr/servlet/SolrDispatchFilter.java | 40 ++-- ...hentication-and-authorization-plugins.adoc | 10 + .../src/basic-authentication-plugin.adoc | 45 +++- solr/webapp/web/WEB-INF/web.xml | 2 +- solr/webapp/web/css/angular/login.css | 103 +++++++++ solr/webapp/web/css/angular/menu.css | 2 + solr/webapp/web/index.html | 160 ++++++------- solr/webapp/web/js/angular/app.js | 45 +++- .../web/js/angular/controllers/login.js | 146 ++++++++++++ solr/webapp/web/js/angular/services.js | 24 +- solr/webapp/web/libs/angular-utf8-base64.js | 217 ++++++++++++++++++ .../web/libs/angular-utf8-base64.min.js | 45 ++++ solr/webapp/web/partials/login.html | 80 +++++++ 17 files changed, 859 insertions(+), 118 deletions(-) create mode 100644 solr/webapp/web/css/angular/login.css create mode 100644 solr/webapp/web/js/angular/controllers/login.js create mode 100755 solr/webapp/web/libs/angular-utf8-base64.js create mode 100755 solr/webapp/web/libs/angular-utf8-base64.min.js create mode 100644 solr/webapp/web/partials/login.html diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt index 9ab80f4cf91..bfa36661d5b 100644 --- a/solr/CHANGES.txt +++ b/solr/CHANGES.txt @@ -155,6 +155,8 @@ New Features * SOLR-12839: JSON 'terms' Faceting now supports a 'prelim_sort' option to use when initially selecting the top ranking buckets, prior to the final 'sort' option used after refinement. (hossman) +* SOLR-7896: Add a login page to Admin UI, with initial support for Basic Auth (janhoy) + Bug Fixes ---------------------- diff --git a/solr/NOTICE.txt b/solr/NOTICE.txt index ad72eabc759..9e9a93fb72c 100644 --- a/solr/NOTICE.txt +++ b/solr/NOTICE.txt @@ -46,6 +46,12 @@ Copyright (c) 2008-2014, Ryan McGeary, https://github.com/rmm5t/jquery-timeago This product includes require.js Javascript library created by James Burke Copyright (C) 2010-2014 James Burke, https://github.com/jrburke/requirejs +This product includes angular-utf8-base64.js Javascript library created by Andrey Bezyazychniy +Copyright (c) 2014 Andrey Bezyazychniy, https://github.com/stranger82/angular-utf8-base64 + +This product includes code copied and modified from the www-authenticate Javascript library +Copyright (c) 2013 Randy McLaughlin, MIT-license, https://github.com/randymized/www-authenticate + This product includes fugue icons created by Yusuke Kamiyamane Copyright (C) 2013-2014 Yusuke Kamiyamane, https://github.com/yusukekamiyamane/fugue-icons diff --git a/solr/core/src/java/org/apache/solr/security/BasicAuthPlugin.java b/solr/core/src/java/org/apache/solr/security/BasicAuthPlugin.java index eab89e3ca4a..1212452e18d 100644 --- a/solr/core/src/java/org/apache/solr/security/BasicAuthPlugin.java +++ b/solr/core/src/java/org/apache/solr/security/BasicAuthPlugin.java @@ -34,12 +34,13 @@ import java.util.StringTokenizer; import com.google.common.collect.ImmutableSet; import org.apache.commons.codec.binary.Base64; import org.apache.http.Header; +import org.apache.http.HttpHeaders; import org.apache.http.auth.BasicUserPrincipal; import org.apache.http.message.BasicHeader; import org.apache.solr.common.SolrException; -import org.apache.solr.common.util.ValidatingJsonMap; -import org.apache.solr.common.util.CommandOperation; import org.apache.solr.common.SpecProvider; +import org.apache.solr.common.util.CommandOperation; +import org.apache.solr.common.util.ValidatingJsonMap; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -47,6 +48,7 @@ public class BasicAuthPlugin extends AuthenticationPlugin implements ConfigEdita private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); private AuthenticationProvider authenticationProvider; private final static ThreadLocal
authHeader = new ThreadLocal<>(); + private static final String X_REQUESTED_WITH_HEADER = "X-Requested-With"; private boolean blockUnknown = false; public boolean authenticate(String username, String pwd) { @@ -55,7 +57,7 @@ public class BasicAuthPlugin extends AuthenticationPlugin implements ConfigEdita @Override public void init(Map pluginConfig) { - Object o = pluginConfig.get(BLOCK_UNKNOWN); + Object o = pluginConfig.get(PROPERTY_BLOCK_UNKNOWN); if (o != null) { try { blockUnknown = Boolean.parseBoolean(o.toString()); @@ -94,9 +96,18 @@ public class BasicAuthPlugin extends AuthenticationPlugin implements ConfigEdita return provider; } - private void authenticationFailure(HttpServletResponse response, String message) throws IOException { + private void authenticationFailure(HttpServletResponse response, boolean isAjaxRequest, String message) throws IOException { for (Map.Entry entry : authenticationProvider.getPromptHeaders().entrySet()) { - response.setHeader(entry.getKey(), entry.getValue()); + String value = entry.getValue(); + // Prevent browser from intercepting basic authentication header when reqeust from Admin UI + if (isAjaxRequest && HttpHeaders.WWW_AUTHENTICATE.equalsIgnoreCase(entry.getKey()) && value != null) { + if (value.startsWith("Basic ")) { + value = "x" + value; + log.debug("Prefixing {} header for Basic Auth with 'x' to prevent browser basic auth popup", + HttpHeaders.WWW_AUTHENTICATE); + } + } + response.setHeader(entry.getKey(), value); } response.sendError(401, message); } @@ -108,6 +119,8 @@ public class BasicAuthPlugin extends AuthenticationPlugin implements ConfigEdita HttpServletResponse response = (HttpServletResponse) servletResponse; String authHeader = request.getHeader("Authorization"); + boolean isAjaxRequest = isAjaxRequest(request); + if (authHeader != null) { BasicAuthPlugin.authHeader.set(new BasicHeader("Authorization", authHeader)); StringTokenizer st = new StringTokenizer(authHeader); @@ -122,7 +135,7 @@ public class BasicAuthPlugin extends AuthenticationPlugin implements ConfigEdita String pwd = credentials.substring(p + 1).trim(); if (!authenticate(username, pwd)) { log.debug("Bad auth credentials supplied in Authorization header"); - authenticationFailure(response, "Bad credentials"); + authenticationFailure(response, isAjaxRequest, "Bad credentials"); } else { HttpServletRequestWrapper wrapper = new HttpServletRequestWrapper(request) { @Override @@ -135,7 +148,7 @@ public class BasicAuthPlugin extends AuthenticationPlugin implements ConfigEdita } } else { - authenticationFailure(response, "Invalid authentication token"); + authenticationFailure(response, isAjaxRequest, "Invalid authentication token"); } } catch (UnsupportedEncodingException e) { throw new Error("Couldn't retrieve authentication", e); @@ -144,7 +157,7 @@ public class BasicAuthPlugin extends AuthenticationPlugin implements ConfigEdita } } else { if (blockUnknown) { - authenticationFailure(response, "require authentication"); + authenticationFailure(response, isAjaxRequest, "require authentication"); } else { request.setAttribute(AuthenticationPlugin.class.getName(), authenticationProvider.getPromptHeaders()); filterChain.doFilter(request, response); @@ -180,8 +193,16 @@ public class BasicAuthPlugin extends AuthenticationPlugin implements ConfigEdita return blockUnknown; } - public static final String BLOCK_UNKNOWN = "blockUnknown"; - private static final Set PROPS = ImmutableSet.of(BLOCK_UNKNOWN); - + public static final String PROPERTY_BLOCK_UNKNOWN = "blockUnknown"; + public static final String PROPERTY_REALM = "realm"; + private static final Set PROPS = ImmutableSet.of(PROPERTY_BLOCK_UNKNOWN, PROPERTY_REALM); + /** + * Check if the request is an AJAX request, i.e. from the Admin UI or other SPA front + * @param request the servlet request + * @return true if the request is AJAX request + */ + private boolean isAjaxRequest(HttpServletRequest request) { + return "XMLHttpRequest".equalsIgnoreCase(request.getHeader(X_REQUESTED_WITH_HEADER)); + } } diff --git a/solr/core/src/java/org/apache/solr/security/Sha256AuthenticationProvider.java b/solr/core/src/java/org/apache/solr/security/Sha256AuthenticationProvider.java index 4b85c4558c7..e8cc87a3094 100644 --- a/solr/core/src/java/org/apache/solr/security/Sha256AuthenticationProvider.java +++ b/solr/core/src/java/org/apache/solr/security/Sha256AuthenticationProvider.java @@ -64,8 +64,11 @@ public class Sha256AuthenticationProvider implements ConfigEditablePlugin, Basi @Override public void init(Map pluginConfig) { - if (pluginConfig.get("realm") != null) this.realm = (String) pluginConfig.get("realm"); - else this.realm = "solr"; + if (pluginConfig.containsKey(BasicAuthPlugin.PROPERTY_REALM)) { + this.realm = (String) pluginConfig.get(BasicAuthPlugin.PROPERTY_REALM); + } else { + this.realm = "solr"; + } promptHeader = Collections.unmodifiableMap(Collections.singletonMap("WWW-Authenticate", "Basic realm=\"" + realm + "\"")); credentials = new LinkedHashMap<>(); diff --git a/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java b/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java index 9e6523b14e8..1a8b14e98a5 100644 --- a/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java +++ b/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java @@ -360,18 +360,6 @@ public class SolrDispatchFilter extends BaseSolrFilter { } } - AtomicReference wrappedRequest = new AtomicReference<>(); - if (!authenticateRequest(request, response, wrappedRequest)) { // the response and status code have already been sent - return; - } - if (wrappedRequest.get() != null) { - request = wrappedRequest.get(); - } - - if (cores.getAuthenticationPlugin() != null) { - log.debug("User principal: {}", request.getUserPrincipal()); - } - // No need to even create the HttpSolrCall object if this path is excluded. if (excludePatterns != null) { String requestPath = request.getServletPath(); @@ -389,6 +377,18 @@ public class SolrDispatchFilter extends BaseSolrFilter { } } + AtomicReference wrappedRequest = new AtomicReference<>(); + if (!authenticateRequest(request, response, wrappedRequest)) { // the response and status code have already been sent + return; + } + if (wrappedRequest.get() != null) { + request = wrappedRequest.get(); + } + + if (cores.getAuthenticationPlugin() != null) { + log.debug("User principal: {}", request.getUserPrincipal()); + } + HttpSolrCall call = getHttpSolrCall(request, response, retry); ExecutorUtil.setServerThreadFlag(Boolean.TRUE); try { @@ -458,8 +458,20 @@ public class SolrDispatchFilter extends BaseSolrFilter { // /admin/info/key must be always open. see SOLR-9188 // tests work only w/ getPathInfo //otherwise it's just enough to have getServletPath() - if (PublicKeyHandler.PATH.equals(request.getServletPath()) || - PublicKeyHandler.PATH.equals(request.getPathInfo())) return true; + String requestPath = request.getPathInfo(); + if (requestPath == null) + requestPath = request.getServletPath(); + if (PublicKeyHandler.PATH.equals(requestPath)) { + if (log.isDebugEnabled()) + log.debug("Pass through PKI authentication endpoint"); + return true; + } + // /solr/ (Admin UI) must be always open to allow displaying Admin UI with login page + if ("/solr/".equals(requestPath) || "/".equals(requestPath)) { + if (log.isDebugEnabled()) + log.debug("Pass through Admin UI entry point"); + return true; + } String header = request.getHeader(PKIAuthenticationPlugin.HEADER); if (header != null && cores.getPkiAuthenticationPlugin() != null) authenticationPlugin = cores.getPkiAuthenticationPlugin(); diff --git a/solr/solr-ref-guide/src/authentication-and-authorization-plugins.adoc b/solr/solr-ref-guide/src/authentication-and-authorization-plugins.adoc index 971dbcdf371..dabd869cb0e 100644 --- a/solr/solr-ref-guide/src/authentication-and-authorization-plugins.adoc +++ b/solr/solr-ref-guide/src/authentication-and-authorization-plugins.adoc @@ -157,6 +157,16 @@ Solr has one implementation of an authorization plugin: * <> +== Authenticating in the Admin UI + +Whenever an authentication plugin is enabled, authentication is also required for all or some operations in the Admin UI. The Admin UI is an AngularJS application running inside your browser, and is treated as any other external client by Solr. + +When authentication is required the Admin UI will presented you with a login dialogue. The authentication plugins currently supported by the Admin UI are: + +* `BasicAuthPlugin` + +If your plugin of choice is not supported, you will have to interact with Solr sending HTTP requests instead of through the graphical user interface of the Admin UI. All operations supported by Admin UI can be performed through Solr's RESTful APIs. + == Securing Inter-Node Requests There are a lot of requests that originate from the Solr nodes itself. For example, requests from overseer to nodes, recovery threads, etc. Each Authentication plugin declares whether it is capable of securing inter-node requests or not. If not, Solr will fall back to using a special internode authentication mechanism where each Solr node is a super user and is fully trusted by other Solr nodes, described below. diff --git a/solr/solr-ref-guide/src/basic-authentication-plugin.adoc b/solr/solr-ref-guide/src/basic-authentication-plugin.adoc index 88e8a0c8d24..308c5a28559 100644 --- a/solr/solr-ref-guide/src/basic-authentication-plugin.adoc +++ b/solr/solr-ref-guide/src/basic-authentication-plugin.adoc @@ -36,13 +36,14 @@ An example `security.json` showing both sections is shown below to show how thes "authentication":{ <1> "blockUnknown": true, <2> "class":"solr.BasicAuthPlugin", - "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="} <3> + "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}, <3> + "realm":"My Solr users" <4> }, "authorization":{ "class":"solr.RuleBasedAuthorizationPlugin", "permissions":[{"name":"security-edit", - "role":"admin"}], <4> - "user-role":{"solr":"admin"} <5> + "role":"admin"}], <5> + "user-role":{"solr":"admin"} <6> }} ---- @@ -51,13 +52,16 @@ There are several things defined in this file: <1> Basic authentication and rule-based authorization plugins are enabled. <2> The parameter `"blockUnknown":true` means that unauthenticated requests are not allowed to pass through. <3> A user called 'solr', with a password `'SolrRocks'` has been defined. -<4> The 'admin' role has been defined, and it has permission to edit security settings. -<5> The 'solr' user has been defined to the 'admin' role. +<4> We override the `realm` property to display another text on the login prompt. +<5> The 'admin' role has been defined, and it has permission to edit security settings. +<6> The 'solr' user has been defined to the 'admin' role. Save your settings to a file called `security.json` locally. If you are using Solr in standalone mode, you should put this file in `$SOLR_HOME`. If `blockUnknown` does not appear in the `security.json` file, it will default to `false`. This has the effect of not requiring authentication at all. In some cases, you may want this; for example, if you want to have `security.json` in place but aren't ready to enable authentication. However, you will want to ensure that this parameter is set to `true` in order for authentication to be truly enabled in your system. +If `realm` is not defined, it will default to `solr`. + If you are using SolrCloud, you must upload `security.json` to ZooKeeper. You can use this example command, ensuring that the ZooKeeper port is correct: [source,bash] @@ -139,11 +143,11 @@ curl --user solr:SolrRocks http://localhost:8983/api/cluster/security/authentica === Set a Property -Set properties for the authentication plugin. The only currently supported property for the Basic Authentication plugin is `blockUnknown`. +Set properties for the authentication plugin. The currently supported properties for the Basic Authentication plugin are `blockUnknown` and `realm`. [.dynamic-tabs] -- -[example.tab-pane#v1set-property] +[example.tab-pane#v1set-property-blockUnknown] ==== [.tab-label]*V1 API* @@ -153,7 +157,7 @@ curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H 'C ---- ==== -[example.tab-pane#v2set-property] +[example.tab-pane#v2set-property-blockUnknown] ==== [.tab-label]*V2 API* @@ -164,6 +168,31 @@ curl --user solr:SolrRocks http://localhost:8983/api/cluster/security/authentica ==== -- +The authentication realm defaults to `solr` and is displayed in the `WWW-Authenticate` HTTP header and in the Admin UI login page. To change the realm, set the `realm` property: + +[.dynamic-tabs] +-- +[example.tab-pane#v1set-property-realm] +==== +[.tab-label]*V1 API* + +[source,bash] +---- +curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H 'Content-type:application/json' -d '{"set-property": {"realm":"My Solr users"}}' +---- +==== + +[example.tab-pane#v2set-property-realm] +==== +[.tab-label]*V2 API* + +[source,bash] +---- +curl --user solr:SolrRocks http://localhost:8983/api/cluster/security/authentication -H 'Content-type:application/json' -d '{"set-property": {"realm":"My Solr users"}}' +---- +==== +-- + == Using Basic Auth with SolrJ In SolrJ, the basic authentication credentials need to be set for each request as in this example: diff --git a/solr/webapp/web/WEB-INF/web.xml b/solr/webapp/web/WEB-INF/web.xml index 155b08bbde1..53ab57abbbd 100644 --- a/solr/webapp/web/WEB-INF/web.xml +++ b/solr/webapp/web/WEB-INF/web.xml @@ -33,7 +33,7 @@ --> excludePatterns - /partials/.+,/libs/.+,/css/.+,/js/.+,/img/.+,/tpl/.+ + /partials/.+,/libs/.+,/css/.+,/js/.+,/img/.+,/templates/.+ diff --git a/solr/webapp/web/css/angular/login.css b/solr/webapp/web/css/angular/login.css new file mode 100644 index 00000000000..52ad4e01dbc --- /dev/null +++ b/solr/webapp/web/css/angular/login.css @@ -0,0 +1,103 @@ +/* + +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +*/ + +#content #login +{ + background-position: 0 50%; + padding-left: 21px; + vertical-align: center; + horiz-align: center; +} + +#content #login h1, +#content #login .h1 { + font-size: 2.5rem; +} + +#content #login h2, +#content #login .h2 { + font-size: 2rem; +} + +#content #login p +{ + margin-top: 0; + margin-bottom: 1rem; +} + +#content #login .login-error +{ + font-size: 1rem; + color: red; + margin-top: 10px; + margin-bottom: 10px; +} + +#content #login button { + border-radius: 0; +} + +#content #login button:focus { + outline: 1px dotted; + outline: 5px auto -webkit-focus-ring-color; +} + +#content #login .btn { + display: inline-block; + font-weight: 400; + text-align: center; + white-space: nowrap; + vertical-align: middle; + -webkit-user-select: none; + -moz-user-select: none; + -ms-user-select: none; + user-select: none; + border: 1px solid transparent; + padding: 0.375rem 0.75rem; + font-size: 1rem; + line-height: 1.5; + border-radius: 0.25rem; + transition: color 0.15s ease-in-out, background-color 0.15s ease-in-out, border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out; +} + +#content #login .form-inline .form-group { + display: -ms-flexbox; + display: flex; + -ms-flex: 0 0 auto; + flex: 0 0 auto; + -ms-flex-flow: row wrap; + flex-flow: row wrap; + -ms-flex-align: center; + align-items: center; + margin-bottom: 0; +} + +#content #login .form-control { + display: block; + width: 80%; + padding: 0.375rem 0.75rem; + font-size: 1rem; + line-height: 1.5; + color: #495057; + background-color: #fff; + background-clip: padding-box; + border: 1px solid #ced4da; + border-radius: 0.25rem; + transition: border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out; +} diff --git a/solr/webapp/web/css/angular/menu.css b/solr/webapp/web/css/angular/menu.css index 71a16681326..4a24399bfd1 100644 --- a/solr/webapp/web/css/angular/menu.css +++ b/solr/webapp/web/css/angular/menu.css @@ -247,6 +247,8 @@ limitations under the License. #menu #index.global p a { background-image: url( ../../img/ico/dashboard.png ); } +#menu #login.global p a { background-image: url( ../../img/ico/users.png ); } + #menu #logging.global p a { background-image: url( ../../img/ico/inbox-document-text.png ); } #menu #logging.global .level a { background-image: url( ../../img/ico/gear.png ); } diff --git a/solr/webapp/web/index.html b/solr/webapp/web/index.html index 00f70efba9f..23b9dbd6e8e 100644 --- a/solr/webapp/web/index.html +++ b/solr/webapp/web/index.html @@ -34,6 +34,7 @@ limitations under the License. + @@ -61,9 +62,11 @@ limitations under the License. + + @@ -139,88 +142,91 @@ limitations under the License.
-
- diff --git a/solr/webapp/web/js/angular/app.js b/solr/webapp/web/js/angular/app.js index ad96ce0d3c0..cb04ba3efb7 100644 --- a/solr/webapp/web/js/angular/app.js +++ b/solr/webapp/web/js/angular/app.js @@ -21,7 +21,8 @@ var solrAdminApp = angular.module("solrAdminApp", [ "ngCookies", "ngtimeago", "solrAdminServices", - "localytics.directives" + "localytics.directives", + "ab-base64" ]); solrAdminApp.config([ @@ -31,6 +32,10 @@ solrAdminApp.config([ templateUrl: 'partials/index.html', controller: 'IndexController' }). + when('/login', { + templateUrl: 'partials/login.html', + controller: 'LoginController' + }). when('/~logging', { templateUrl: 'partials/logging.html', controller: 'LoggingController' @@ -315,7 +320,7 @@ solrAdminApp.config([ } }; }) -.factory('httpInterceptor', function($q, $rootScope, $timeout, $injector) { +.factory('httpInterceptor', function($q, $rootScope, $location, $timeout, $injector) { var activeRequests = 0; var started = function(config) { @@ -326,6 +331,9 @@ solrAdminApp.config([ delete $rootScope.exceptions[config.url]; } activeRequests++; + if (sessionStorage.getItem("auth.header")) { + config.headers['Authorization'] = sessionStorage.getItem("auth.header"); + } config.timeout = 10000; return config || $q.when(config); }; @@ -343,6 +351,11 @@ solrAdminApp.config([ $rootScope.$broadcast('connectionStatusInactive'); },2000); } + if (!$location.path().startsWith('/login')) { + sessionStorage.removeItem("http401"); + sessionStorage.removeItem("auth.state"); + sessionStorage.removeItem("auth.statusText"); + } return response || $q.when(response); }; @@ -361,16 +374,38 @@ solrAdminApp.config([ var $http = $injector.get('$http'); var result = $http(rejection.config); return result; + } else if (rejection.status === 401) { + // Authentication redirect + var headers = rejection.headers(); + var wwwAuthHeader = headers['www-authenticate']; + sessionStorage.setItem("auth.wwwAuthHeader", wwwAuthHeader); + sessionStorage.setItem("auth.statusText", rejection.statusText); + sessionStorage.setItem("http401", "true"); + sessionStorage.removeItem("auth.scheme"); + sessionStorage.removeItem("auth.realm"); + sessionStorage.removeItem("auth.username"); + sessionStorage.removeItem("auth.header"); + sessionStorage.removeItem("auth.state"); + if ($location.path().includes('/login')) { + if (!sessionStorage.getItem("auth.location")) { + sessionStorage.setItem("auth.location", "/"); + } + } else { + sessionStorage.setItem("auth.location", $location.path()); + $location.path('/login'); + } } else { $rootScope.exceptions[rejection.config.url] = rejection.data.error; } return $q.reject(rejection); - } + }; return {request: started, response: ended, responseError: failed}; }) .config(function($httpProvider) { $httpProvider.interceptors.push("httpInterceptor"); + // Force BasicAuth plugin to serve us a 'Authorization: xBasic xxxx' header so browser will not pop up login dialogue + $httpProvider.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest'; }) .directive('fileModel', function ($parse) { return { @@ -441,6 +476,8 @@ solrAdminApp.controller('MainController', function($scope, $route, $rootScope, $ $scope.showingLogging = page.lastIndexOf("logging", 0) === 0; $scope.showingCloud = page.lastIndexOf("cloud", 0) === 0; $scope.page = page; + $scope.currentUser = sessionStorage.getItem("auth.username"); + $scope.http401 = sessionStorage.getItem("http401"); }; $scope.ping = function() { @@ -456,7 +493,7 @@ solrAdminApp.controller('MainController', function($scope, $route, $rootScope, $ } $scope.showCore = function(core) { - $location.url("/" + core.name); + $location.url("/" + core.name + "/core-overview"); } $scope.showCollection = function(collection) { diff --git a/solr/webapp/web/js/angular/controllers/login.js b/solr/webapp/web/js/angular/controllers/login.js new file mode 100644 index 00000000000..9935191e127 --- /dev/null +++ b/solr/webapp/web/js/angular/controllers/login.js @@ -0,0 +1,146 @@ +/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +solrAdminApp.controller('LoginController', + ['$scope', '$routeParams', '$rootScope', '$location', '$window', 'AuthenticationService', 'Constants', + function ($scope, $routeParams, $rootScope, $location, $window, AuthenticationService, Constants) { + $scope.resetMenu("login", Constants.IS_ROOT_PAGE); + $scope.subPath = $routeParams.route; + $rootScope.exceptions = {}; + + // Session variables set in app.js 401 interceptor + var wwwAuthHeader = sessionStorage.getItem("auth.wwwAuthHeader"); + var authScheme = sessionStorage.getItem("auth.scheme"); + if (wwwAuthHeader) { + // Parse www-authenticate header + var wwwHeader = wwwAuthHeader.match(/(\w+)\s+(.*)/); + authScheme = wwwHeader[1]; + var authParams = www_auth_parse_params(wwwHeader[2]); + if (typeof authParams === 'string' || authParams instanceof String) { + $scope.authParamsError = authParams; + } else { + $scope.authParamsError = undefined; + } + var realm = authParams['realm']; + sessionStorage.setItem("auth.realm", realm); + if (authScheme === 'Basic' || authScheme === 'xBasic') { + authScheme = 'Basic'; + } + sessionStorage.setItem("auth.scheme", authScheme); + } + + var supportedSchemes = ['Basic', 'Bearer']; + $scope.authSchemeSupported = supportedSchemes.includes(authScheme); + $scope.authScheme = sessionStorage.getItem("auth.scheme"); + $scope.authRealm = sessionStorage.getItem("auth.realm"); + $scope.wwwAuthHeader = sessionStorage.getItem("auth.wwwAuthHeader"); + $scope.statusText = sessionStorage.getItem("auth.statusText"); + $scope.authConfig = sessionStorage.getItem("auth.config"); + $scope.authLocation = sessionStorage.getItem("auth.location"); + $scope.authLoggedinUser = sessionStorage.getItem("auth.username"); + $scope.authHeader = sessionStorage.getItem("auth.header"); + + $scope.login = function () { + AuthenticationService.SetCredentials($scope.username, $scope.password); + $location.path($scope.authLocation); // Redirect to the location that caused the login prompt + }; + + $scope.logout = function() { + // reset login status + AuthenticationService.ClearCredentials(); + $location.path("/"); + }; + + $scope.isLoggedIn = function() { + return (sessionStorage.getItem("auth.username") !== null); + }; + }]); + +// This function is copied and adapted from MIT-licensed https://github.com/randymized/www-authenticate/blob/master/lib/parsers.js +www_auth_parse_params= function (header) { + // This parser will definitely fail if there is more than one challenge + var params = {}; + var tok, last_tok, _i, _len, key, value; + var state= 0; //0: token, + var m= header.split(/([",=])/); + for (_i = 0, _len = m.length; _i < _len; _i++) { + last_tok= tok; + tok = m[_i]; + if (!tok.length) continue; + switch (state) { + case 0: // token + key= tok.trim(); + state= 1; // expect equals + continue; + case 1: // expect equals + if ('=' != tok) return 'Equal sign was expected after '+key; + state= 2; + continue; + case 2: // expect value + if ('"' == tok) { + value= ''; + state= 3; // expect quoted + continue; + } + else { + params[key]= value= tok.trim(); + state= 9; // expect comma or end + continue; + } + case 3: // handling quoted string + if ('"' == tok) { + state= 8; // end quoted + continue; + } + else { + value+= tok; + state= 3; // continue accumulating quoted string + continue; + } + case 8: // end quote encountered + if ('"' == tok) { + // double quoted + value+= '"'; + state= 3; // back to quoted string + continue; + } + if (',' == tok) { + params[key]= value; + state= 0; + continue; + } + else { + return 'Unexpected token ('+tok+') after '+value+'"'; + } + continue; + case 9: // expect commma + if (',' != tok) return 'Comma expected after '+value; + state= 0; + continue; + } + } + switch (state) { // terminal state + case 0: // Empty or ignoring terminal comma + case 9: // Expecting comma or end of header + return params; + case 8: // Last token was end quote + params[key]= value; + return params; + default: + return 'Unexpected end of www-authenticate value.'; + } +}; diff --git a/solr/webapp/web/js/angular/services.js b/solr/webapp/web/js/angular/services.js index e3dcd3f1b46..8eb148fb3ae 100644 --- a/solr/webapp/web/js/angular/services.js +++ b/solr/webapp/web/js/angular/services.js @@ -262,4 +262,26 @@ solrAdminServices.factory('System', return $resource(':core/config', {wt: 'json', core: '@core', _:Date.now()}, { get: {method: "GET"} }) -}]); +}]) +.factory('AuthenticationService', + ['base64', function (base64) { + var service = {}; + + service.SetCredentials = function (username, password) { + var authdata = base64.encode(username + ':' + password); + + sessionStorage.setItem("auth.header", "Basic " + authdata); + sessionStorage.setItem("auth.username", username); + }; + + service.ClearCredentials = function () { + sessionStorage.removeItem("auth.header"); + sessionStorage.removeItem("auth.scheme"); + sessionStorage.removeItem("auth.realm"); + sessionStorage.removeItem("auth.username"); + sessionStorage.removeItem("auth.wwwAuthHeader"); + sessionStorage.removeItem("auth.statusText"); + }; + + return service; + }]); diff --git a/solr/webapp/web/libs/angular-utf8-base64.js b/solr/webapp/web/libs/angular-utf8-base64.js new file mode 100755 index 00000000000..a3a735869fa --- /dev/null +++ b/solr/webapp/web/libs/angular-utf8-base64.js @@ -0,0 +1,217 @@ +/* +The MIT License (MIT) + +Copyright (c) 2014 Andrey Bezyazychniy + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. +*/ +'use strict'; + +angular.module('ab-base64',[]).constant('base64', (function() { + + /* + * Encapsulation of Vassilis Petroulias's base64.js library for AngularJS + * Original notice included below + */ + + /* + Copyright Vassilis Petroulias [DRDigit] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */ + var B64 = { + alphabet: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=', + lookup: null, + ie: /MSIE /.test(navigator.userAgent), + ieo: /MSIE [67]/.test(navigator.userAgent), + encode: function (s) { + /* jshint bitwise:false */ + var buffer = B64.toUtf8(s), + position = -1, + result, + len = buffer.length, + nan0, nan1, nan2, enc = [, , , ]; + + if (B64.ie) { + result = []; + while (++position < len) { + nan0 = buffer[position]; + nan1 = buffer[++position]; + enc[0] = nan0 >> 2; + enc[1] = ((nan0 & 3) << 4) | (nan1 >> 4); + if (isNaN(nan1)) + enc[2] = enc[3] = 64; + else { + nan2 = buffer[++position]; + enc[2] = ((nan1 & 15) << 2) | (nan2 >> 6); + enc[3] = (isNaN(nan2)) ? 64 : nan2 & 63; + } + result.push(B64.alphabet.charAt(enc[0]), B64.alphabet.charAt(enc[1]), B64.alphabet.charAt(enc[2]), B64.alphabet.charAt(enc[3])); + } + return result.join(''); + } else { + result = ''; + while (++position < len) { + nan0 = buffer[position]; + nan1 = buffer[++position]; + enc[0] = nan0 >> 2; + enc[1] = ((nan0 & 3) << 4) | (nan1 >> 4); + if (isNaN(nan1)) + enc[2] = enc[3] = 64; + else { + nan2 = buffer[++position]; + enc[2] = ((nan1 & 15) << 2) | (nan2 >> 6); + enc[3] = (isNaN(nan2)) ? 64 : nan2 & 63; + } + result += B64.alphabet[enc[0]] + B64.alphabet[enc[1]] + B64.alphabet[enc[2]] + B64.alphabet[enc[3]]; + } + return result; + } + }, + decode: function (s) { + /* jshint bitwise:false */ + s = s.replace(/\s/g, ''); + if (s.length % 4) + throw new Error('InvalidLengthError: decode failed: The string to be decoded is not the correct length for a base64 encoded string.'); + if(/[^A-Za-z0-9+\/=\s]/g.test(s)) + throw new Error('InvalidCharacterError: decode failed: The string contains characters invalid in a base64 encoded string.'); + + var buffer = B64.fromUtf8(s), + position = 0, + result, + len = buffer.length; + + if (B64.ieo) { + result = []; + while (position < len) { + if (buffer[position] < 128) + result.push(String.fromCharCode(buffer[position++])); + else if (buffer[position] > 191 && buffer[position] < 224) + result.push(String.fromCharCode(((buffer[position++] & 31) << 6) | (buffer[position++] & 63))); + else + result.push(String.fromCharCode(((buffer[position++] & 15) << 12) | ((buffer[position++] & 63) << 6) | (buffer[position++] & 63))); + } + return result.join(''); + } else { + result = ''; + while (position < len) { + if (buffer[position] < 128) + result += String.fromCharCode(buffer[position++]); + else if (buffer[position] > 191 && buffer[position] < 224) + result += String.fromCharCode(((buffer[position++] & 31) << 6) | (buffer[position++] & 63)); + else + result += String.fromCharCode(((buffer[position++] & 15) << 12) | ((buffer[position++] & 63) << 6) | (buffer[position++] & 63)); + } + return result; + } + }, + toUtf8: function (s) { + /* jshint bitwise:false */ + var position = -1, + len = s.length, + chr, buffer = []; + if (/^[\x00-\x7f]*$/.test(s)) while (++position < len) + buffer.push(s.charCodeAt(position)); + else while (++position < len) { + chr = s.charCodeAt(position); + if (chr < 128) + buffer.push(chr); + else if (chr < 2048) + buffer.push((chr >> 6) | 192, (chr & 63) | 128); + else + buffer.push((chr >> 12) | 224, ((chr >> 6) & 63) | 128, (chr & 63) | 128); + } + return buffer; + }, + fromUtf8: function (s) { + /* jshint bitwise:false */ + var position = -1, + len, buffer = [], + enc = [, , , ]; + if (!B64.lookup) { + len = B64.alphabet.length; + B64.lookup = {}; + while (++position < len) + B64.lookup[B64.alphabet.charAt(position)] = position; + position = -1; + } + len = s.length; + while (++position < len) { + enc[0] = B64.lookup[s.charAt(position)]; + enc[1] = B64.lookup[s.charAt(++position)]; + buffer.push((enc[0] << 2) | (enc[1] >> 4)); + enc[2] = B64.lookup[s.charAt(++position)]; + if (enc[2] === 64) + break; + buffer.push(((enc[1] & 15) << 4) | (enc[2] >> 2)); + enc[3] = B64.lookup[s.charAt(++position)]; + if (enc[3] === 64) + break; + buffer.push(((enc[2] & 3) << 6) | enc[3]); + } + return buffer; + } + }; + + var B64url = { + decode: function(input) { + // Replace non-url compatible chars with base64 standard chars + input = input + .replace(/-/g, '+') + .replace(/_/g, '/'); + + // Pad out with standard base64 required padding characters + var pad = input.length % 4; + if(pad) { + if(pad === 1) { + throw new Error('InvalidLengthError: Input base64url string is the wrong length to determine padding'); + } + input += new Array(5-pad).join('='); + } + + return B64.decode(input); + }, + + encode: function(input) { + var output = B64.encode(input); + return output + .replace(/\+/g, '-') + .replace(/\//g, '_') + .split('=', 1)[0]; + } + }; + + return { + decode: B64.decode, + encode: B64.encode, + urldecode: B64url.decode, + urlencode: B64url.encode, + }; +})()); + diff --git a/solr/webapp/web/libs/angular-utf8-base64.min.js b/solr/webapp/web/libs/angular-utf8-base64.min.js new file mode 100755 index 00000000000..e1166c692f4 --- /dev/null +++ b/solr/webapp/web/libs/angular-utf8-base64.min.js @@ -0,0 +1,45 @@ +/* +The MIT License (MIT) + +Copyright (c) 2014 Andrey Bezyazychniy + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. +*/ + +/* + * Encapsulation of Vassilis Petroulias's base64.js library for AngularJS + * Original notice included below + */ + +/* + Copyright Vassilis Petroulias [DRDigit] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ +"use strict";angular.module("ab-base64",[]).constant("base64",function(){var a={alphabet:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",lookup:null,ie:/MSIE /.test(navigator.userAgent),ieo:/MSIE [67]/.test(navigator.userAgent),encode:function(b){var c,d,e,f,g=a.toUtf8(b),h=-1,i=g.length,j=[,,,];if(a.ie){for(c=[];++h>2,j[1]=(3&d)<<4|e>>4,isNaN(e)?j[2]=j[3]=64:(f=g[++h],j[2]=(15&e)<<2|f>>6,j[3]=isNaN(f)?64:63&f),c.push(a.alphabet.charAt(j[0]),a.alphabet.charAt(j[1]),a.alphabet.charAt(j[2]),a.alphabet.charAt(j[3]));return c.join("")}for(c="";++h>2,j[1]=(3&d)<<4|e>>4,isNaN(e)?j[2]=j[3]=64:(f=g[++h],j[2]=(15&e)<<2|f>>6,j[3]=isNaN(f)?64:63&f),c+=a.alphabet[j[0]]+a.alphabet[j[1]]+a.alphabet[j[2]]+a.alphabet[j[3]];return c},decode:function(b){if(b=b.replace(/\s/g,""),b.length%4)throw new Error("InvalidLengthError: decode failed: The string to be decoded is not the correct length for a base64 encoded string.");if(/[^A-Za-z0-9+\/=\s]/g.test(b))throw new Error("InvalidCharacterError: decode failed: The string contains characters invalid in a base64 encoded string.");var c,d=a.fromUtf8(b),e=0,f=d.length;if(a.ieo){for(c=[];f>e;)c.push(d[e]<128?String.fromCharCode(d[e++]):d[e]>191&&d[e]<224?String.fromCharCode((31&d[e++])<<6|63&d[e++]):String.fromCharCode((15&d[e++])<<12|(63&d[e++])<<6|63&d[e++]));return c.join("")}for(c="";f>e;)c+=String.fromCharCode(d[e]<128?d[e++]:d[e]>191&&d[e]<224?(31&d[e++])<<6|63&d[e++]:(15&d[e++])<<12|(63&d[e++])<<6|63&d[e++]);return c},toUtf8:function(a){var b,c=-1,d=a.length,e=[];if(/^[\x00-\x7f]*$/.test(a))for(;++cb?e.push(b):2048>b?e.push(b>>6|192,63&b|128):e.push(b>>12|224,b>>6&63|128,63&b|128);return e},fromUtf8:function(b){var c,d=-1,e=[],f=[,,,];if(!a.lookup){for(c=a.alphabet.length,a.lookup={};++d>4),f[2]=a.lookup[b.charAt(++d)],64!==f[2])&&(e.push((15&f[1])<<4|f[2]>>2),f[3]=a.lookup[b.charAt(++d)],64!==f[3]);)e.push((3&f[2])<<6|f[3]);return e}},b={decode:function(b){b=b.replace(/-/g,"+").replace(/_/g,"/");var c=b.length%4;if(c){if(1===c)throw new Error("InvalidLengthError: Input base64url string is the wrong length to determine padding");b+=new Array(5-c).join("=")}return a.decode(b)},encode:function(b){var c=a.encode(b);return c.replace(/\+/g,"-").replace(/\//g,"_").split("=",1)[0]}};return{decode:a.decode,encode:a.encode,urldecode:b.decode,urlencode:b.encode}}()); \ No newline at end of file diff --git a/solr/webapp/web/partials/login.html b/solr/webapp/web/partials/login.html new file mode 100644 index 00000000000..10a3caf27c5 --- /dev/null +++ b/solr/webapp/web/partials/login.html @@ -0,0 +1,80 @@ + +
+ +
+

Basic Authentication

+ +
+

+ Solr requires authentication for resource {{authLocation === '/' ? 'Dashboard' : authLocation}}.
+ Please log in with your username and password for realm {{authRealm}}. +

+
+
{{error}}
+
+
+ + + Username is required +
+
+ + + Password is required +
+
+
+ +
+
+
+ +
+

+ Logged in as user {{authLoggedinUser}}. Realm={{authRealm}}.
+

+
+
+
+ +
+
+
+ +
+ + +
+

Authentication scheme not supported

+ + + +

Some or all Solr operations are protected by an authentication scheme that is not yet supported by this Admin UI ({{authScheme}}).

+

Solr returned an error response: +


+
HTTP 401 {{statusText}}
+WWW-Authenticate: {{wwwAuthHeader}}
+
+

+

A possible workaround may be to use another client that supports this scheme.

+
+