lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Apache Solr

Apache Software Foundationdatabase5 credentials

Credentials5 documented
01

Unauthenticated Solr API/Admin Access

apache-solr / unauthenticated-default

Solr does not require HTTP authentication until an authentication plugin is configured through security.json or equivalent deployment configuration. Without auth, Admin UI and query/update APIs may be reachable to anyone with network access.

no authsecretusername/password

Unauthenticated access

open default
no authentication required
username
none
password
none

Location

public interface
Solr Admin UI and HTTP APIs, commonly :8983/solr

Admin, collections, config, query, and update endpoints when no auth plugin is active

config file
security.json

absence of authentication plugin or blockUnknown/user configuration means no Solr HTTP auth enforcement

database

ZooKeeper-stored security.json for SolrCloud clusters

logs

Solr startup and security plugin logs indicating whether authentication is configured

Notes

This represents absence of Solr HTTP authentication, not a blank username/password. Exposure depends on security.json, SolrCloud ZooKeeper state, reverse proxies, network controls, and collection/update permissions.

02

Solr Basic Authentication User Password

apache-solr / basic-auth-user-password

Solr can enable the BasicAuthPlugin or other authentication plugins in security.json. Users and password hashes protect the Admin UI, Collections API, and query/update APIs.

user definedgenerated on installsecretusername/password

Location

public interface
Solr Admin UI, Collections API, query/update handlers, and V2 APIs
config file
security.json

authentication plugin, users, password hashes, blockUnknown, and authorization config

database

ZooKeeper security.json storage for SolrCloud clusters

secret store

Kubernetes Secrets, Solr Operator secrets, and password vaults

logs

Solr request logs, security audit logs, and client traces

03

JWT / Bearer Token Credential

apache-solr / bearer-jwt-and-api-token

Solr can use JWT/OIDC or plugin-based bearer tokens for API access. Clients present tokens to query and update collections.

generated on installuser definedsecrettoken

Location

http header
Authorization

Basic or Bearer/JWT token for Solr API requests

config file

security.json, OIDC/JWT plugin configuration, client configs, and .env files

environment
SOLR_AUTH_TYPE, SOLR_AUTHENTICATION_OPTS, SOLR_TOKEN
secret store

CI/CD variables, Kubernetes Secrets, and identity-provider client stores

logs

HTTP traces and auth plugin debug logs

04

ZooKeeper Digest / Kerberos JAAS Secret

apache-solr / zk-digest-and-jaas-secret

SolrCloud deployments commonly protect ZooKeeper with digest auth, SASL/Kerberos, JAAS files, and ZK ACL credentials.

user definedgenerated on installsecretsecret value

Location

config file
solr.in.sh, jaas.conf, zoo.cfg

ZooKeeper digest credentials, JAAS login modules, and Solr ZK auth settings

environment
SOLR_ZK_CREDS_AND_ACLS, SOLR_JAAS_FILE
secret store

Kubernetes Secrets, keytabs, and deployment vaults

logs

ZooKeeper ACL/auth logs and SolrCloud startup logs

05

TLS Keystore / Private Key

apache-solr / tls-private-key-and-keystore

Solr can secure HTTP and internode traffic with TLS keystores, truststores, and private keys.

generated on installuser definedsecretkey pair

Looks like

pattern
pattern

private key material for Solr HTTP or internode TLS

-----BEGIN (RSA |EC |ENCRYPTED |)PRIVATE KEY-----

Location

config file
solr.in.sh, solr-ssl.keystore.p12, solr-ssl.keystore.jks

SSL key/trust store paths and passwords

environment
SOLR_SSL_KEY_STORE_PASSWORD, SOLR_SSL_TRUST_STORE_PASSWORD
secret store

Kubernetes Secrets, Java keystores, and certificate vaults

artifact

cluster backups and support bundles

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.