[
https://issues.apache.org/jira/browse/SOLR-1523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13836512#comment-13836512
]
Jan Høydahl commented on SOLR-1523:
-----------------------------------
Agree. But this issue feels a bit too broad talking about request handlers in
general. Our admin API technology of choice seems to be Restlet.
Perhaps create new concrete sub JIRAs, one for new Core admin REST API, one for
Collections REST API and one for enableRemoteStreaming. Are there other admin
APIs to consider?
> Destructive Solr operations accept HTTP GET requests
> -----------------------------------------------------
>
> Key: SOLR-1523
> URL: https://issues.apache.org/jira/browse/SOLR-1523
> Project: Solr
> Issue Type: Improvement
> Affects Versions: 1.4, 3.6.2, 4.6
> Reporter: Lance Norskog
> Labels: security
>
> GET v.s. POST/PUT/DELETE
> The multicore implementation allows HTTP GET requests to perform system
> administration commands. This means that an URL which alters the system can
> be bookmarked/e-mailed/etc. This is dangerous in a production system.
> A clean implementation should give every request handler the ability to
> accept some HTTP verbs and reject others. It could be just a boolean for
> whether it accepts a GET, or the interface might actually have a list of
> verbs it accepts.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
