rmuir commented on PR #11852: URL: https://github.com/apache/lucene/pull/11852#issuecomment-1307217205
> I'm late to the party. Do we really want to have/maintain a web application under Lucene? An HTTP server would not be sufficient to develop a state-full web app, you need to write an application server from scratch to interact with users. If you create a separate OSS project for that, you can use any standard web technology such as Servlet API. This is my concern, too. Security nightmare. While it is good that it only binds to localhost by default, the current PR still allows someone to bind to the network and thus we will have to deal with security hassles around it. You put a webapp out there, people gonna break it. especially with the http framework here, its the built-in one that is rather simplistic and weak. there's no auth or security here at all, its unclear which files on the server can be accessed, and its doing some scary low-level stuff such as reflection in the JSON serialization, etc. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
