Ok, I think we are arguing on different points.
If I am not mistaken, one of your key points is that once a user has gained access to the data service, they have complete control of anyone's data.
And that by going through a service, if they gain direct access to that, they are limited to only their account, and limited further because the service would expect certain commands and have fail-safes to prevent paying -1000 and gaining a super structure 10 levels higher than they should have access too.
- I understand this. I see how dumb the idea of trusting that no one will ever somehow break the SSL/credentials needed. I had trusted that credentials over SSL was actually a bit more secure. And just for the risk I'll step away from this practice.
But this leads me to the item I thought we were arguing about: SSL with credential not actually being secure, that it can be hijacked and apparently with ease. I don't understand how credentials sent over SSL is not secure? If I were connecting to a web service, or some other server type, I would probably use SSL with credentials as well. I would appreciate it If you can post a link to an article that shows the fault there, along with what I should be doing instead. (to add a point of clarification, this is client to server credentials, not user login credentials) (of course in the confusion with the Database vs service access, perhaps you weren't touching the SSL/credentials issue at all?)
Finally, I come to Solr, which I can tell we both had mistakes on. First, Solr is not part of Lucene, but an addon, which is downloaded separately. And more importantly in my case, Cloudant does not use it. My mistake was my comment of C# to Java. When I first skimmed it, it was talking about downloading the java for it, I had presumed it was a client based tool. It would appear that based on this new insight to Solr, that I would require it to get the server-side non-key searches to work, but I just don't have that option where I am at.
Presuming that Solr was an option, my original question, is "what is the protocol". Post/Get is not the protocol. I would presume it would be something like GET="http://server/db/?PlayerId=testUser" to return all docs where it has a field called PlayerId with the value of testUser. This is the protocol information I'm missing, and will still need to know if I shift to a different data provider with Lucene w/Solr.