Description
Currently Solr always runs the Admin UI. With the history of XSS issues and other security concerns that have been found in the Admin UI, Solr should offer a mode where the Admin UI is disabled. Maybe, and this is a topic that'll need some serious discussion, this should even be the default when Solr starts.
NOTE: Disabling the Admin UI removes XSS and other attack vectors. But even with the Admin UI disabled, Solr will still be inherently unsafe without firewall protection on a public network.
Proposed design:
A java system property called headless will be used as an internal flag for starting Solr in headless mode. This property will default to true. A java property can be used at startup to set this flag to false.
Here is an example:
bin/solr start -Dheadless=false
A message will be added following startup describing the mode.
In headless mode the following message will be displayed:
"solr is running in headless mode. The admin console is unavailable. To to turn off headless mode and allow the admin console use the following parameter startup parameter:
-Dheadless=false
In non-headless mode the following message will be displayed:
"solr is running with headless mode turned off. The admin console is available in this mode. Disabling the Admin UI removes XSS and other attack vectors"
If a user attempts to access the admin console while Solr is in headless mode it Solr will return 401 unauthorized.
Attachments
Issue Links
- is related to
-
SOLR-13987 Admin UI should not rely on javascript eval()
-
- Closed
-
- links to
