[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface

Thu, 29 Mar 2018 11:29:27 -0700 

    [ 
https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16419536#comment-16419536
 ] 

Aaron Greenspan commented on SOLR-7896:
---------------------------------------

I agree with Gus that the primary issue here is just getting some kind of 
simple protection for the admin UI in place.

Maybe there's a better solution than the key I've proposed, but I would note 
that the worst-case scenario of the server being "forever compromised" is 
already the default way Solr works now. Everything is open and effectively 
pre-compromised. If browser development tools can see requests to a Solr 
back-end to discover my hypothetical key, they can already see requests to the 
server and can discover everything in the store, so something is wrong with how 
the developer built their site. (I'd think Solr requests should be going on in 
the background, not in some client-side JavaScript call.) Furthermore, all of 
the general arguments as to why a key would be insecure could be made for any 
password authentication scheme (someone could discover it, it should be changed 
regularly, etc.).

My point was that users should not be sending their admin passwords in a HTTP 
GET string. So a randomly-generated key would be preferable given that Solr 
works that way.

> Add a login page for Solr Administrative Interface
> --------------------------------------------------
>
>                 Key: SOLR-7896
>                 URL: https://issues.apache.org/jira/browse/SOLR-7896
>             Project: Solr
>          Issue Type: New Feature
>          Components: Admin UI, security
>    Affects Versions: 5.2.1
>            Reporter: Aaron Greenspan
>            Priority: Major
>              Labels: authentication, login, password
>
> Out of the box, the Solr Administrative interface should require a password 
> that the user is required to set.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to