Solr isn't normally concerned with "Security" related issues...
http://wiki.apache.org/solr/SolrSecurity
"It is strongly recommended that the application server containing Solr
be firewalled such the only clients with access to Solr are your own.
A default/example installation of Solr allows any client with access
to it to add, update, and delete documents"
However: Recent conversations about Cross-Site Scripting (XSS) have made
me realize that even if a Solr instance is protected by good firewalls so
that "bad guys" have no direct access, that instance may be at risk to
potential "Cross-Site Request Forgery" (CSRF) based attacks if the
following are all true:
1) Some number of "good guys" have direct access to that Solr
instance from their web browsers.
2) A "bad guy" knows/guesses the host:port/path of the Solr
instance (even though they can not access it directly).
3) The bad guy can trick one of the good guy into clicking a
maliciously crafted URL, or loading a webpage that contains
malicious javascript.
This is because Solr's most basic behavior is to receive updates and
deletes via HTTP. If you have a firewall or other security measure
restricting Solr's /update handler so it only accepts connections from
approved hosts/clients, but *you* are approved then you could
inadvertently be tricked into loading a web page that initiates an HTTP
Connection to Solr on your behalf.
It's important to keep this in mind when thinking about what it means to
"secure" an instance of Solr (if you have not already).
A basic technique that can be used to mitigate the risk of a possible CSRF
attack like this is to configure your Servlet Container so that access to
paths which can modify the index (ie: /update, /update/csv, etc...) are
restricted either to specific client IPs, or using HTTP Authentication.
Users with tips/suggestions for securing Solr using various Servlet
Container features are encouraged to add those tips to the corresponding
wiki pages...
http://wiki.apache.org/solr/SolrTomcat
http://wiki.apache.org/solr/SolrJetty
http://wiki.apache.org/solr/SolrResin
http://wiki.apache.org/solr/SolrJBoss
And of course: if people have general security tips for Solr, please add
them to the wiki as well...
http://wiki.apache.org/solr/SolrSecurity
See Also: http://en.wikipedia.org/wiki/Cross-site_request_forgery
-Hoss
