AI OnAI Off
Secured Content in Index
Hi
I think FilterForVisitor is what you are looking for: http://world.episerver.com/documentation/Class-library/?documentId=find/8/6941FA55
David
Aug 26, 2017 15:39
FilterForVisitor applies a filter to the query that gets sent to the web service, but it doesn't make the index any more secure. When you the server-api, you can watch the queries (through fiddler or similar tool) it is sending to the open Rest Api to query the index. It does filter out the content I don't want to expose -- but since that REST api itself is open to any user who knows how to execute a web service, they can execute the same query without the Filters applied to see the indexed information that our client doesn't want exposed.
Can an index be locked down in a way that only certain user accounts, or only certain IP Address(es) can use the web/JS API?
Aug 28, 2017 11:11
I believe it may be possible to lock down by IP address. Contact Episerver managed services to set it up.
Also worth bearing in mind you should never expose your Find Rest endpoint URL to the public.
Aug 28, 2017 12:26
agreed on the endpoint, but "Not exposing" the url is not even close to the same thing as securing it, espesially since I know this client will perform vulnerability testing that Will (and has in the past) discover all unsecured endpoints whether they are exposed or not, and so would anyone who was purposfully (maliciously) digging for information they were not supposed to access. I will follow up with managed services.
Aug 28, 2017 14:55
I can see that unified search automatically trims out results that the current user does not have access to -- but the REST and Javascript API's do not. If our client has a requirement that even the metadata cannot ever be discoverable by less-priveleged users, is it possible to secure index items within the elastic index so that even the public api's do not return content that users are not priveleged enough to view?