You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by Erik Hatcher <er...@ehatchersolutions.com> on 2007/04/16 01:40:50 UTC

Re: [Solr Wiki] Update of "SolrSecurity" by ErikHatcher

I added a wiki page to flesh out common security-related concerns  
regarding Solr.  I was recently asked by a client about Solr's  
security, specifically about cross-site scripting vulnerabilities.   
Intuitively I know there is little or no room for concern given that  
Solr is firewalled off in my use of it, and that the administrative  
UI has had fixes in this area long ago.

Beyond that specific concern, I think it is important for us to flesh  
this wiki page out with more details on issues and how they are  
addressed, such as what tweaks folks make to web.xml to protect  
Solr's admin UI and update handlers, and even down to the document  
level on how applications address document-level security for  
environments where users roles and rights need to factor into which  
documents (or perhaps even specific fields of documents) are no visible.

Thoughts?  If so, let's get them on the wiki so we can readily point  
technology decision makers to it.

Thanks,
	Erik

On Apr 15, 2007, at 7:26 PM, Apache Wiki wrote:

> Dear Wiki user,
>
> You have subscribed to a wiki page or wiki category on "Solr Wiki"  
> for change notification.
>
> The following page has been changed by ErikHatcher:
> http://wiki.apache.org/solr/SolrSecurity
>
> New page:
> First and foremost, Solr does not itself concern itself with  
> security either at the document level or the communication level.   
> It is strongly recommended that the application server containing  
> Solr be firewalled such the only clients with access to Solr are  
> your own.   A default/example installation of Solr allows any  
> client with access to it to add, update, and delete documents (and  
> of course search/read too), including access to the Solr  
> configuration and schema files and the administrative user interface.
>
> Besides limiting port access to the Solr server, standard Java web  
> security can be added by tuning the container and the Solr web  
> application configuration itself via web.xml.  For example, all / 
> update URLs could require HTTP authentication.
>
> Security-related questions:
>
> Does Solr contain any known cross-site scripting vulnerabilities?  No.