Search code examples
tomcatsolrtomcat7security-constraint

How to secure Solr to allow SELECT request to only users and disallow anything else?

This is what I have done so far to secure my SOLR application.

In SOLR's web.xml file I'm trying to do the following

  • Allow /select request to only user or admin requests.
  • Disallow every other request to SOLR other then admin.

I've added security constraints to SOLR's web.xml file

<security-constraint> 
    <web-resource-collection> 
        <web-resource-name>Solr Admin</web-resource-name> 
        <url-pattern>/*</url-pattern> 
    </web-resource-collection>
    <auth-constraint> 
        <role-name>admin</role-name> 
    </auth-constraint>
</security-constraint> 
<security-constraint> 
    <web-resource-collection> 
        <web-resource-name>Public</web-resource-name> 
        <url-pattern>/primary/select/*</url-pattern> 
        <url-pattern>/reindex/select/*</url-pattern> 
    </web-resource-collection>
    <auth-constraint>
        <role-name>user</role-name>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

This is how I'm instantiating SOLR HTTP connection in my client application

//primary core
HttpSolrServer primaryindex = new HttpSolrServer(serverUrl + "/" + PRIMARYINDEX);
    HttpClientUtil.setBasicAuth((DefaultHttpClient) primaryindex.getHttpClient(), "user", "user");

//reindex core
HttpSolrServer reindex = new HttpSolrServer(serverUrl + "/" + REINDEX);
    HttpClientUtil.setBasicAuth((DefaultHttpClient) reindex.getHttpClient(), "user", "user");

tomcat-users.xml file has the roles and users set as following

<role rolename="user"/>
<user username="user" password="user" roles="user"/>
<user password="admin" roles="manager-script,admin" username="admin"/>

The above is working perfect. Obviously in production I will have more stronger username and password.

Question

Is there anything else I need to secure my SOLR instances or will the above is enough ? I've got 1 instance of Tomcat 7 which runs the Client application and SOLR application. This is what I'm trying to achieve.

  • Don't want to allow anyone to log into admin without a username and password
  • Don't want anyone to access core's other then my client application

I can add Spring security to SOLR on top of the above but is that necessary ?

Solution

  • I didn't know that /admin was the context for SOLR admin because /admin does not really show up in the URL. But adding security-contraints for /admin in web.xml secured the admin application.

    <security-constraint> 
    <web-resource-collection> 
        <web-resource-name>Admin</web-resource-name> 
        <url-pattern>/admin/*</url-pattern> 
        <url-pattern>/admin.html</url-pattern> 
    </web-resource-collection>
    <auth-constraint> 
        <role-name>admin</role-name> 
    </auth-constraint>
</security-constraint> 

<security-constraint>
    <!-- This one is necessary to show the image on the Solr start page -->
    <web-resource-collection>
        <web-resource-name>Admin images</web-resource-name>
        <url-pattern>*.png</url-pattern>
    </web-resource-collection>
    <auth-contraint>
        <role-name>admin</role-name>
    </auth-contraint>
</security-constraint>

<login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>admin</realm-name>
</login-config>