Ryan McKinley wrote:
solr.jar on the other hand lets you package what you want around
search features to build a setup for your needs. Java already has so
many options for how to secure / authenticate that you can just plug
them into your own app. (if that is appropriate). In the past I have
used a filter based on:
http://www.onjava.com/pub/a/onjava/2004/03/24/loadcontrol.html
to limit load -- however I have found that in any site where
stability/load and uptime are a serious concern, this is better
handled in a tier in front of java -- typically the loadbalancer /
haproxy / whatever -- and managed by people more cautious then me.
ryan
Couldn't agree more. Almost all security and protection belong outside
of solr. It can and will be done better, and solr can stick to what its
good at. Smaller things like limiting complex query attacks or something
seem more reasonable, but any real security should be provided
elsewhere. Wouldn't that be odd if a bunch of open source products
reimplemented network security layers and defenses on every project...
