The recommendation is to firewall off Solr so only your application server can access it. Solr is not at all designed for direct client (browser, etc) access.
Assuming you lock down update properly, what's the problem? We are currently using select directly through the XSLTResponseWriter right into a <div> via Ajax.Updater. Do you predict pain?
