lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shalin Shekhar Mangar (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-7896) Solr Administrative Interface Lacks Password Protection
Date Fri, 07 Aug 2015 05:18:45 GMT

    [ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14661338#comment-14661338
] 

Shalin Shekhar Mangar commented on SOLR-7896:
---------------------------------------------

Of course, this doesn't mean that you should expose Solr to the world-wide-web. It is still
not secure against all kinds of attacks.

> Solr Administrative Interface Lacks Password Protection
> -------------------------------------------------------
>
>                 Key: SOLR-7896
>                 URL: https://issues.apache.org/jira/browse/SOLR-7896
>             Project: Solr
>          Issue Type: Bug
>          Components: security, web gui
>    Affects Versions: 5.2.1
>            Reporter: Aaron Greenspan
>            Priority: Critical
>
> Out of the box, the Solr interface should require an administrative password that the
user is required to set. Apparently there are ways of configuring Jetty to do this with HTTP
AUTH or whatever. I'm a moderately experienced Linux admin and a programmer; I've tried, numerous
times, and I've not once been able to get it to work. The point is this, though:
> *No one should have to try to get their Solr instance to support password authentication
and preferably SSL (even if it's just with a self-signed certificate). Solr is designed to
store huge amounts of data and is therefore a likely target for malicious users.*
> This needs to be addressed! It's 2015 and Solr is on version 5!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message