Skip to content

docs(admin): reflect SPNEGO hardening (fess#3181) in 15.8 General guide#429

Merged
marevol merged 1 commit into
masterfrom
docs/spnego-admin-general-15.8
Jul 5, 2026
Merged

docs(admin): reflect SPNEGO hardening (fess#3181) in 15.8 General guide#429
marevol merged 1 commit into
masterfrom
docs/spnego-admin-general-15.8

Conversation

@marevol

@marevol marevol commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

Updates the 15.8 General admin guide across all languages to reflect the SPNEGO (Windows SSO) hardening merged in codelibs/fess#3181. Each change was verified against the current source (SpnegoAuthenticator.java, EditForm.java, admin_general.jsp).

Changes

  • Remove the "Exclude Directories" field. This admin UI field was removed in fess#3181 (only an unused servlet filter ever consumed it), so it no longer belongs in the UI reference.
  • Add a restart note. SPNEGO settings require a Fess restart because the underlying library config is a JVM-wide singleton.
  • Document secure-by-default behavior for "Allow Localhost" and "Allow Unsecure Basic Auth" — both now default to disabled.
  • Pre-auth username/password: note that leaving both empty enables keytab-based server login.
  • Logger level: clarify the 0–7 numeric range and the auto-detection fallback for empty/non-numeric values.

The new spnego.allowed.realms property is intentionally not added here: it is a system property, not an admin UI field, so it is out of scope for this UI reference.

Languages

ja, en, de, es, fr, ko, zh-cn (7 files, SPNEGO section only)

Update the 15.8 General admin guide across all languages to match the
SPNEGO (Windows SSO) hardening in codelibs/fess#3181:

- Remove the "Exclude Directories" field, which was removed from the
  admin UI (only an unused servlet filter consumed it).
- Add a note that SPNEGO settings require a Fess restart, since the
  underlying library config is a JVM-wide singleton.
- Document the secure-by-default behavior of "Allow Localhost" and
  "Allow Unsecure Basic Auth" (both now default to disabled).
- Note that leaving the pre-auth username/password empty enables
  keytab-based server login.
- Clarify that the logger level is a 0-7 value and is auto-detected
  when empty or non-numeric.

Languages: ja, en, de, es, fr, ko, zh-cn
@marevol marevol merged commit 43183ed into master Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant