Help

SA-5

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SA-5

resplin
Intermediate
0 0 1,249
‎13 Mar 2015 3:37 PM

Security Advisory 5


Date: 2012-04-26

Summary:  SOLR REST API allows unauthenticated access to repository contents

Related Issues: ALF-13721

Affects: 4.0

Fixed in: 4.0.1, with a hotfix available for 4.0.

An omission has been discovered that meant that HTTP access to repository APIs under the paths /alfresco/s/api/solr, /alfresco/wcservice/api/solr and /alfresco/wcs/api/solr were not protected by SOLR’s SSL certificate and could potentially be used by an unauthenticated user to retrieve information from the repository. This issue affects you whether or not you have configured and installed SOLR for search.

The issue is easily addressed by adding some XML to your web.xml. If you take a look at the web.xml file, you'll see a security-constraint element that matches on the '/service/api/solr' pattern. The issue is that the web script is accessible via several other patterns not covered by existing security constraints.


  <security-constraint>
     <web-resource-collection>
        <web-resource-name>SOLR</web-resource-name>
        <url-pattern>/service/api/solr/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>repoclient</role-name>
     </auth-constraint>
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>


You can plug the hole yourself by adding the following additional security constraints:


  <security-constraint>
     <web-resource-collection>
        <web-resource-name>SOLR</web-resource-name>
        <url-pattern>/s/api/solr/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>repoclient</role-name>
     </auth-constraint>
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>
  <security-constraint>
     <web-resource-collection>
        <web-resource-name>SOLR</web-resource-name>
        <url-pattern>/wcservice/api/solr/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>repoclient</role-name>
     </auth-constraint>
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>
  <security-constraint>
     <web-resource-collection>
        <web-resource-name>SOLR</web-resource-name>
        <url-pattern>/wcs/api/solr/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>repoclient</role-name>
     </auth-constraint>
     <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
  </security-constraint>


Security Advisories

0 Kudos
Alfresco Content Services Hub Docs

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.