lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Koorosh Vakhshoori <>
Subject RE: Any option to NOT return stack trace in Solr response?
Date Fri, 22 Jul 2016 23:09:16 GMT
Hi Alex,
  Thanks for confirming my finding.

  When it comes to Solr interfacing to a client, I agree completely.  However, I was hoping
to limit the noise at Solr and not have to add extra code to filter out the exceptions. Just
wondering, wouldn't it be a cleaner RESTFUL interface if instead of reporting the stack trace
in response, Solr would return an error code and a basic message pointing back to Solr log
for details such as stack trace. I am curious, what use case would it serve where one would
require the stack trace in response?

  If there is interest, I could open an JIRA and come up with a patch.



-----Original Message-----
From: Alexandre Rafalovitch [] 
Sent: Thursday, July 21, 2016 6:54 PM
To: solr-user <>
Subject: Re: Any option to NOT return stack trace in Solr response?

I don't think there is a flag.

But the bigger question is whether you are exposing Solr directly to the client? You should
not be. You should have a middleware client that talks to Solr and then generates web UI or

If you give untrusted access to Solr, there are too many things that can be done, starting
from deleting the whole index.

It might be possible to have a smart proxy and expose Solr with heavily filtered valid URLs,
then you would need to scrub response.

That's all I can think of without hacking and reregistering with your own response handler
(probably not that hard).

Newsletter and resources for Solr beginners and intermediates:

On 22 July 2016 at 03:35, Koorosh Vakhshoori <> wrote:
> Hi all,
>   Got a Solr 5.2.1 installation. I am getting following error response when calling the
TERMS component. Now the error is not the point, I know what is going on in this instance.
However, to address security concerns, I am trying to have Solr truncate the stack trace in
the response. Of course I would still want Solr to log the error in its log file. What I was
wondering, if there is a flag or option I can set in solrconfig.xml globally or under TERMS
to omit the trace or just return ' java.lang.NullPointerException'? I have looked at the source
code and don't see anything relevant. However, I may have missed something. Appreciated any
suggestion and pointers.
> <response>
> <lst name="responseHeader">
> <int name="status">500</int>
> <int name="QTime">5</int>
> </lst>
> <lst name="error">
> <str name="trace">
> java.lang.NullPointerException at 
> org.apache.solr.handler.component.SearchHandler.handleRequestBody(Sear
> at 
> org.apache.solr.handler.RequestHandlerBase.handleRequest(RequestHandle
> at 
> org.apache.solr.core.SolrCore.execute( at 
> org.apache.solr.servlet.HttpSolrCall.execute( at 
> at 
> org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter
> .java:227) at 
> org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter
> .java:196) at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> at 
> org.apache.catalina.filters.CorsFilter.handleNonCORS(
> 39) at 
> org.apache.catalina.filters.CorsFilter.doFilter( 
> at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa
> at org.apache.catalina.core.StandardContextValve.invoke(
at org.apache.catalina.core.StandardHostValve.invoke( at org.apache.catalina.valves.ErrorReportValve.invoke(
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(
at org.apache.catalina.core.StandardEngineValve.invoke( at org.apache.catalina.connector.CoyoteAdapter.service(
at org.apache.coyote.http11.AbstractHttp11Processor.process(
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(
at$SocketProcessor.doRun( at$ at java.util.concurrent.ThreadPoolExecutor.runWorker(
at java.util.concurrent.ThreadPoolExecutor$ at org.apache.tomcat.util.threads.TaskThread$
> </str>
> <int name="code">500</int>
> </lst>
> </response>
> Regards,
> Koorosh
View raw message