Hello. I encountered this issue too and wrote this up before I found this thread, but I thought I might as well post it still, if it helps... Currently I'm trying to move our product on to Solr 8.1.1. We are currently using 6.6.6, so things have definitely moved on. We use the BasicAuthPlugin + RuleBasedAuthorizationPlugin to lock down Solr (and we also secure our zookeeper). Here's an example for solradmin as the user and password { "authentication": { "blockUnknown": true, "class": "solr.BasicAuthPlugin", "credentials": { "solradmin": "PIWZwkGnEKxKnqUs3X08xmbmYBaYyAeP3FiKp7fmeHc= Lnbp6bEbE7Ap8lXvQDKkUX2Xw53QDgP6Ae8QRT0P5/A=" } }, "authorization": { "class": "solr.RuleBasedAuthorizationPlugin", "permissions": [ { "name": "all", "role": "admin" } ], "user-role": { "solradmin": "admin" } } } On Solr 8.1.1, using our previously working security.json, running queries (through the admin UI currently) I non-deterministically get 401 responses on queries when a collection has more than 1 shard. Increasing the number of shards in the collection makes the errors more likely. { "responseHeader":{ "zkConnected":true, "status":401, "QTime":30, "params":{ "q":"*:*", "_":"1559474550365"}}, "error":{ "metadata":[ "error-class","org.apache.solr.client.solrj.impl.BaseHttpSolrClient$RemoteSolrException", "root-error-class","org.apache.solr.client.solrj.impl.BaseHttpSolrClient$RemoteSolrException"], "msg":"Error from server at null: Expected mime type application/octet-stream but got text/html. \n\n\nError 401 require authentication\n\n

HTTP ERROR 401

\n

Problem accessing /solr/gettingstarted_shard4_replica_n6/select. Reason:\n

 require authentication

\n\n\n", "code":401}} The security stats indicate this is happening because the requests do not have credentials with them, e.g. http://localhost:8983/solr/#/gettingstarted_shard4_replica_n6/plugins?type=security&entry=org.apache.solr.security.BasicAuthPlugin org.apache.solr.security.BasicAuthPlugin class: org.apache.solr.security.BasicAuthPlugin description: Authentication Plugin org.apache.solr.security.BasicAuthPlugin stats SECURITY./authentication.authenticated: 182 SECURITY./authentication.errors.count: 0 SECURITY./authentication.failMissingCredentials: 58 SECURITY./authentication.failWrongCredentials: 0 SECURITY./authentication.passThrough: 0 SECURITY./authentication.requestTimes.meanRate: 0.4183414110946125 SECURITY./authentication.requests: 240 SECURITY./authentication.totalTime: 117791100 I assume that this is connected to the changes around https://issues.apache.org/jira/browse/SOLR-7896 and https://issues.apache.org/jira/browse/SOLR-13344 I've tested with Solr 7.6.0 and it appears to be unaffected Repro steps: # Extract solr 8.1.1. # bin\solr start -e cloud 1 node / [default port] / [default collection name] / 4 shards / 1 replica / [_default configuration] # server\scripts\cloud-scripts\zkcli -zkhost localhost:9983 -cmd putfile /security.json # Execute repeated GETS to http://localhost:8983/solr/gettingstarted/select?q=*%3A* - a lot of them, but not all, will fail with 401s Also as a side note, because the authentication is now done through the form login rather than the browser basic auth, if you go directly to a non UI url (e.g. http://localhost:8983/solr/main_index/select?q=*%3A*) you have to authenticate to it using the browser's basic auth prompt. Which is slightly annoying since the query page in the Admin UI generates links to it for the queries you run, and you've already authenticated to get there. But it's not a massive burden or anything... I guess I just preferred having the browser BA prompt. Thanks