lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthew Mauriello" <mm578...@albany.edu>
Subject Re: Solr Security
Date Wed, 02 Jun 2010 19:21:00 GMT
Thanks for the quick response, I'll look into this a bit more and see what
I can do.

~Matt

> : requestHandlers are those that are active on default. I think the gist
> of
> : what your saying is go through my solrconfig.xml file and secure any
> paths
> : that seem like they should be "admin" only? We are not really concerned
>
> correct.
>
> : about security so much as just making sure the average user cannot mess
> : anything up. Users should only be able to search and retrieve xml
> : responses from solr and admins should be able to do everything and
> : anything else.
>
> sure ... but if your "users" are people who can hit the solr app directly,
> and if you are planning to block access to "/update" that implies that you
> are worried about them *trying* to update -- in which case you should also
> block /select?qt=/update because they could use that to update as well
> (it doesn't matter if there are no links to that URL anywhere, there are
> no links to /update either -- but evidently you are worried about your
> users constructing that URL as well)
>
> : > : BASIC Tomcat. Essentially I want users to only be able to /select/*
> and
> : > : admins to be able to do everything else. Right now I am checking for
> : > :
> : > : /select/* - Users
> : > : /admin/*  - Admin
> : > : /update/* - Admin
> : > :
> : > : Are there other url strings I should be protecting?
> : > : (This was unclear to me in the documentation)
> : >
> : > in general it depends on what requestHandlers you have configured in
> your
> : > solrconfig.xml ...  if you have an instance of the
> ExtractinRequestHandler
> : > configured with the path "/extract/stuff" then you'll probably want to
> : > protect that as well.  In particular you may want to block users from
> : > accessing /replication (but then if you'll need to give special access
> to
> : > the slave machines so they can query the master)
> : >
> : > You should also watch out for the "qt" param when using the special
> : > "/select" path.  I would suggest that you just block user access
> : > /select, and use specific paths for accessing handlers directly (ie
> : > /search, /dismax, etc...)
> : >
> : >
> : > -Hoss
> : >
> : >
> : > ---------------------------------------------------------------------
> : > To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
> : > For additional commands, e-mail: dev-help@lucene.apache.org
> : >
> : >
> :
> :
> : ---------------------------------------------------------------------
> : To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
> : For additional commands, e-mail: dev-help@lucene.apache.org
> :
>
>
>
> -Hoss
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
> For additional commands, e-mail: dev-help@lucene.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message