[jira] [Commented] (SOLR-13345) Admin UI login page doesn't accept empty passwords

Sat, 13 Apr 2019 05:47:05 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-13345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16816933#comment-16816933
 ] 

Märt commented on SOLR-13345:
-----------------------------

I have the following use case:
 # version control contains solr config with preconfigured schema and 
security.json (BasicAuthPlugin+RuleBasedAuthorizationPlugin preconfigured with 
an empty password).
 # CI deploys the product to the customer
 # as one time initialization, the customer sends a single request to solr to 
change the password. everything else is already preconfigured.

In the development environments, changing the password is not necessary as 
nothing sensitive is indexed. So we just skip changing the password and use the 
empty password. This way the dev environment is identical to the customer's 
with no manual steps required.

One could argue that we could set the initial password to "password" or 
"12345", but this wouldn't make anything more secure and simply make the 
developer login more inconvenient.

Thank you for considering the issue

> Admin UI login page doesn't accept empty passwords
> --------------------------------------------------
>
>                 Key: SOLR-13345
>                 URL: https://issues.apache.org/jira/browse/SOLR-13345
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Admin UI
>    Affects Versions: 7.7, 8.0
>            Reporter: Märt
>            Priority: Minor
>
> In solr 7.6 and older, it was possible to log in with an empty password using 
> basic auth. The new Admin UI login page implemented in SOLR-7896 no longer 
> accepts empty passwords.
> This issue was discussed in the solr-user mailing list 
> http://mail-archives.apache.org/mod_mbox/lucene-solr-user/201903.mbox/%3C7629BDDD-3D22-4203-9188-0E0A8DCF2FEE%40cominvent.com%3E



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to