You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by "Märt (JIRA)" <ji...@apache.org> on 2019/04/13 12:45:00 UTC

[jira] [Commented] (SOLR-13345) Admin UI login page doesn't accept empty passwords

    [ https://issues.apache.org/jira/browse/SOLR-13345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16816933#comment-16816933 ] 

Märt commented on SOLR-13345:
-----------------------------

I have the following use case:
 # version control contains solr config with preconfigured schema and security.json (BasicAuthPlugin+RuleBasedAuthorizationPlugin preconfigured with an empty password).
 # CI deploys the product to the customer
 # as one time initialization, the customer sends a single request to solr to change the password. everything else is already preconfigured.

In the development environments, changing the password is not necessary as nothing sensitive is indexed. So we just skip changing the password and use the empty password. This way the dev environment is identical to the customer's with no manual steps required.

One could argue that we could set the initial password to "password" or "12345", but this wouldn't make anything more secure and simply make the developer login more inconvenient.

Thank you for considering the issue

> Admin UI login page doesn't accept empty passwords
> --------------------------------------------------
>
>                 Key: SOLR-13345
>                 URL: https://issues.apache.org/jira/browse/SOLR-13345
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Admin UI
>    Affects Versions: 7.7, 8.0
>            Reporter: Märt
>            Priority: Minor
>
> In solr 7.6 and older, it was possible to log in with an empty password using basic auth. The new Admin UI login page implemented in SOLR-7896 no longer accepts empty passwords.
> This issue was discussed in the solr-user mailing list http://mail-archives.apache.org/mod_mbox/lucene-solr-user/201903.mbox/%3C7629BDDD-3D22-4203-9188-0E0A8DCF2FEE%40cominvent.com%3E



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org