[ https://issues.apache.org/jira/browse/SOLR-1895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12862206#action_12862206 ]
Peter Sturge commented on SOLR-1895: ------------------------------------ {quote} The usual way is to configure the application server running solr to either use certificate authentication (which requires the connecting client to be able to identify themselves via a secure cert) {quote} Yes, cert authentication is a good way to go, but once you've got one (because you have at least some privileges), you can by bypass the lower-layer doc security because you've already done the cert auth. {quote} configure the application server to not accept connections from (say) anything other than the localhost adapter. {quote} I don't understand how localhost-only would give you any access off the box. I guess what I meant was, your client is wherever your client is, and this client could (and probably would) have a web browser installed. If a bona-fide user was an IT Operator, it would be easy for him/her to 'pretend' to be an HR Manager, unless some kind of post-login identity check prevents it. One way 'round this is to encrypt part or all of the http parameters (essentially, this is what the hash mechanism does in SOLR-1872). > LCF SearchComponent plugin for enforcing LCF security at search time > -------------------------------------------------------------------- > > Key: SOLR-1895 > URL: https://issues.apache.org/jira/browse/SOLR-1895 > Project: Solr > Issue Type: New Feature > Components: SearchComponents - other > Reporter: Karl Wright > Fix For: 1.5 > > Attachments: LCFSecurityFilter.java, LCFSecurityFilter.java, > LCFSecurityFilter.java > > > I've written an LCF SearchComponent which filters returned results based on > access tokens provided by LCF's authority service. The component requires > you to configure the appropriate authority service URL base, e.g.: > <!-- LCF document security enforcement component --> > <searchComponent name="lcfSecurity" class="LCFSecurityFilter"> > <str > name="AuthorityServiceBaseURL">http://localhost:8080/lcf-authority-service</str> > </searchComponent> > Also required are the following schema.xml additions: > <!-- Security fields --> > <field name="allow_token_document" type="string" indexed="true" > stored="false" multiValued="true"/> > <field name="deny_token_document" type="string" indexed="true" > stored="false" multiValued="true"/> > <field name="allow_token_share" type="string" indexed="true" > stored="false" multiValued="true"/> > <field name="deny_token_share" type="string" indexed="true" stored="false" > multiValued="true"/> > Finally, to tie it into the standard request handler, it seems to need to run > last: > <requestHandler name="standard" class="solr.SearchHandler" default="true"> > <arr name="last-components"> > <str>lcfSecurity</str> > </arr> > ... > I have not set a package for this code. Nor have I been able to get it > reviewed by someone as conversant with Solr as I would prefer. It is my > hope, however, that this module will become part of the standard Solr 1.5 > suite of search components, since that would tie it in with LCF nicely. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org