[jira] [Commented] (SOLR-13463) Solr admin user credentials defined with -Dbasicauth property during start is visible in admin UI to any user.

Wed, 15 May 2019 06:32:12 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-13463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16840393#comment-16840393
 ] 

Vinodh commented on SOLR-13463:
-------------------------------

Thanks Jan - it worked fine now. Earlier when I was using 
"*-Dsolr.httpclient.config=*" property pointing to basicAuth.conf file in which 
I defined *username:password* format which is incorrect. Instead username and 
password should be in below format to make it working.

 

httpBasicAuthUser=user

httpBasicAuthPassword=password

 

Is there anyway to use Solr user's encrypted password rather than using paling 
text password which would be really helpful while running curl commands & solrJ 
API calls where plain text password is given which exposes the password to 
others. In other words, is there any encryption mechanism to use encrypted 
passwords instead of using plain text?

> Solr admin user credentials defined with -Dbasicauth property during start is 
> visible in admin UI to any user.
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-13463
>                 URL: https://issues.apache.org/jira/browse/SOLR-13463
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Admin UI
>    Affects Versions: 7.7.1
>         Environment: QA
>            Reporter: Vinodh
>            Priority: Major
>              Labels: admin-interface, credentials
>
> We have configured Solr basic authentication in our environment and used 
> Dbasicauth property to define username:password. Since these property will be 
> added to Solr startup, the Solr admin username & password details defined 
> with -Dbasicauth property are displayed in plain text format to all users who 
> are able to login into admin UI interface in JVM & Java properties sections. 
> So even a read user who has privileges to login admin UI can able to see 
> admin user username & password details.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to