(from github.com/efridge)
I’ve noticed that even though I check the “login required” box in the general config, the JSON API still remains open and unsecured even though the search page is locked down.
I see that FESS supports the generation of an access token. However, the documentation does not detail how this token would be used. I would like to set up FESS so that the token must be passed in the request headers before API access is granted. Was that the intent for these tokens? If so, how is this accomplished?
(from github.com/marevol)
For Login Required setting, the target is search HTML pages, not API responses.
http://fess.codelibs.org/11.0/admin/general-guide.html#login-required
To control JSON API access, please set a proper permission in crawling configs.
(from github.com/efridge)
Thanks, @marevol and @jdeathe . I was able to set up an “authenticated” role and secure my crawler data to that role. I then generated a key for that role, and passing it in as “Authorization” in the header let me access the pages. The webservice still answers up when people hit it without a key, but since no data is secured to “public” there is nothing interesting to see.