[
https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16420488#comment-16420488
]
Shawn Heisey commented on SOLR-7896:
------------------------------------
Something said a REALLY long time ago:
bq. Also, I would love for Solr to just be exposed exclusively on my server's
internal IP address(es)--but I have no idea how to do that.
All operating systems these days come with a host firewall, and most of them
have that firewall turned on by default. Organizations also usually have
firewalls and other routing equipment that can filter traffic.
Controlling which interfaces Solr binds to actually cannot be done by Solr
itself. By the time Solr starts, all interface binding is already done by the
servlet container. I do not know if there are sysprops that can be passed in
the Solr startup config to tell Jetty how to do network binding.
For what [~gus_heck]'s has asked about:
The admin UI doesn't get protected when authentication is turned on. The
actual files making up the admin UI don't NEED protection -- there's absolutely
nothing in them related to your Solr config or data. It's completely static
html/css/javascript/images, data that is identical on every Solr install using
that version. The UI is retrieved and then runs in your browser, and makes
requests to Solr's API to get information and perform actions.
If you enable authentication (and require it for everything), running the admin
UI actually does prompt for authentication. But it's not the UI *itself* that
needs it -- when it asks for username/password, it is actually requests to
Solr's API (being made by your browser -- not the Solr server) that are being
authenticated.
Authenticating the admin UI while leaving the API unprotected is only an
illusion of security. Everything the admin UI does can be done directly, using
the API.
> Add a login page for Solr Administrative Interface
> --------------------------------------------------
>
> Key: SOLR-7896
> URL: https://issues.apache.org/jira/browse/SOLR-7896
> Project: Solr
> Issue Type: New Feature
> Components: Admin UI, security
> Affects Versions: 5.2.1
> Reporter: Aaron Greenspan
> Priority: Major
> Labels: authentication, login, password
>
> Out of the box, the Solr Administrative interface should require a password
> that the user is required to set.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
