Re: [Solr Wiki] Update of "SolrSecurity" by ErikHatcher

Sun, 15 Apr 2007 16:41:14 -0700

I added a wiki page to flesh out common security-related concerns regarding Solr. I was recently asked by a client about Solr's security, specifically about cross-site scripting vulnerabilities. Intuitively I know there is little or no room for concern given that Solr is firewalled off in my use of it, and that the administrative UI has had fixes in this area long ago.
Beyond that specific concern, I think it is important for us to flesh this wiki page out with more details on issues and how they are addressed, such as what tweaks folks make to web.xml to protect Solr's admin UI and update handlers, and even down to the document level on how applications address document-level security for environments where users roles and rights need to factor into which documents (or perhaps even specific fields of documents) are no visible. 


Thoughts?  If so, let's get them on the wiki so we can readily point  
technology decision makers to it.


Thanks,
        Erik


On Apr 15, 2007, at 7:26 PM, Apache Wiki wrote:


Dear Wiki user,


You have subscribed to a wiki page or wiki category on "Solr Wiki"  
for change notification.


The following page has been changed by ErikHatcher:
http://wiki.apache.org/solr/SolrSecurity

New page:

First and foremost, Solr does not itself concern itself with  
security either at the document level or the communication level.   
It is strongly recommended that the application server containing  
Solr be firewalled such the only clients with access to Solr are  
your own.   A default/example installation of Solr allows any  
client with access to it to add, update, and delete documents (and  
of course search/read too), including access to the Solr  
configuration and schema files and the administrative user interface.



Besides limiting port access to the Solr server, standard Java web  
security can be added by tuning the container and the Solr web  
application configuration itself via web.xml.  For example, all / 
update URLs could require HTTP authentication.


Security-related questions:

Does Solr contain any known cross-site scripting vulnerabilities?  No.
















    











					Reply via email to