lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Hostetter <hossman_luc...@fucit.org>
Subject Re: Solr Security
Date Wed, 02 Jun 2010 19:14:12 GMT
: requestHandlers are those that are active on default. I think the gist of
: what your saying is go through my solrconfig.xml file and secure any paths
: that seem like they should be "admin" only? We are not really concerned

correct.

: about security so much as just making sure the average user cannot mess
: anything up. Users should only be able to search and retrieve xml
: responses from solr and admins should be able to do everything and
: anything else.

sure ... but if your "users" are people who can hit the solr app directly, 
and if you are planning to block access to "/update" that implies that you 
are worried about them *trying* to update -- in which case you should also 
block /select?qt=/update because they could use that to update as well  
(it doesn't matter if there are no links to that URL anywhere, there are 
no links to /update either -- but evidently you are worried about your 
users constructing that URL as well)

: > : BASIC Tomcat. Essentially I want users to only be able to /select/* and
: > : admins to be able to do everything else. Right now I am checking for
: > :
: > : /select/* - Users
: > : /admin/*  - Admin
: > : /update/* - Admin
: > :
: > : Are there other url strings I should be protecting?
: > : (This was unclear to me in the documentation)
: >
: > in general it depends on what requestHandlers you have configured in your
: > solrconfig.xml ...  if you have an instance of the ExtractinRequestHandler
: > configured with the path "/extract/stuff" then you'll probably want to
: > protect that as well.  In particular you may want to block users from
: > accessing /replication (but then if you'll need to give special access to
: > the slave machines so they can query the master)
: >
: > You should also watch out for the "qt" param when using the special
: > "/select" path.  I would suggest that you just block user access
: > /select, and use specific paths for accessing handlers directly (ie
: > /search, /dismax, etc...)
: >
: >
: > -Hoss
: >
: >
: > ---------------------------------------------------------------------
: > To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
: > For additional commands, e-mail: dev-help@lucene.apache.org
: >
: >
: 
: 
: ---------------------------------------------------------------------
: To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
: For additional commands, e-mail: dev-help@lucene.apache.org
: 



-Hoss


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message