Erik Hatcher wrote:
I'm pondering the viability of running Solr as effectively a UI
server... what I mean by that is having a public facing browser-based
application hitting a Solr backend directly for JSON, XML, etc data.
I know folks are doing this (I won't name names, in case this thread
comes up with any vulnerabilities that would effect such existing
environments).
Let's just assume a typical deployment environment... replicated
Solr's behind a load balancer, maybe even a caching proxy.
What known vulnerabilities are there in Solr 1.3, for example?
What I think we can get out this is a Solr deployment configuration
suitable for direct browser access, but we're not safely there yet are
we? Is this an absurd goal? Must we always have a moving piece
between browser and data/search servers?
Thanks,
Erik
First thing I would look at is disabling write access, or writing a
servlet that sits on top of the write handler to filter your data.
Second thing I would be concerned about is people writing DoS queries
that bypass the cache.
so you may need to write your own custom request handler to filter out
that kind of thing.
