You are viewing a plain text version of this content. The canonical link for it is here.

Posted to general@lucene.apache.org by Aaron Schon <aa...@yahoo.com> on 2008/12/13 18:01:40 UTC

Lucene authentication

Hi ,

if I have a Lucene index (or Solr) that is installed in client premises. how would you go about securing the index from being queries in unauthorized fashion. For example, from malicious users or hackers, or for that matter "internal" users trying to reengineer the system and use it for purposes other than the way licensed.

any suggestions?
as

Re: Lucene authentication

Posted by Chris Hostetter <ho...@fucit.org>.

: > fashion. For example, from malicious users or hackers, or for that matter
: > "internal" users trying to reengineer the system and use it for purposes
: > other than the way licensed.

if you're taking about people whow already have access to the physical 
disk the index resides on but you don't want them to use the index in any 
way except what you application allows you are largely out of luck -- the 
Lucene index format is well documented and many tools (like Luke) can open 
an arbitrary Lucene index.

The only suggestion i can think of would be to use a RAMDirectory in your 
application where the only persistent data you store is encrypted using 
keys that are hardcoded into your application.



-Hoss

Re: Lucene authentication

Posted by Ken Krugler <kk...@transpac.com>.

>if I have a Lucene index (or Solr) that is installed in client 
>premises. how would you go about securing the index from being 
>queries in unauthorized fashion. For example, from malicious users 
>or hackers, or for that matter "internal" users trying to reengineer 
>the system and use it for purposes other than the way licensed.
>
>any suggestions?

If all you care about is authentication, then just put something like 
Apache with .htaccess in front of whatever GUI you've got that 
exposes the index search functionality.

If you also need authorization (access control) for specific bits of 
content, then see the Solr list for various discussions about how to 
extend the index with ACL info that gets implicitly used with all 
queries.

-- Ken
-- 
Ken Krugler
Krugle, Inc.
+1 530-210-6378
"If you can't find it, you can't fix it"