On Mar 14, 2007, at 11:09 AM, Brian Whitman wrote:
The recommendation is to firewall off Solr so only your
application server can access it. Solr is not at all designed
for direct client (browser, etc) access.
Assuming you lock down update properly, what's the problem? We are
currently using select directly through the XSLTResponseWriter
right into a <div> via Ajax.Updater. Do you predict pain?
I don't predict pain really, but I don't want to see Solr get bogged
down in having a lot of security-related code added to it. I do
think it would be good for there to be some sort of capability to
make Solr read-only in some form or another, such that an indexer
could still work from an authorized environment.
Exposing Solr directly to a client does have appeal in the way you're
doing it, but it also allows the possibility of hackers tinkering
with it and perhaps requesting things they shouldn't. For example,
we index tags and annotations, and only a logged in user can see
their own annotations, so exposing Solr directly would subvert that
protection.
Erik
