Instead of hitting the Solr server directly from the client, I think I would go through your application server, which would have access to all the users data and can forward that to the Solr server, thereby hiding it from the client.
Mike -----Original Message----- From: Anupam Bhattacharya [mailto:anupam...@gmail.com] Sent: Thursday, May 10, 2012 9:53 PM To: solr-user@lucene.apache.org Subject: SOLR Security I am using Ajax-Solr Framework for creating a search interface. The search interface works well. In my case, the results have document level security so by even indexing records with there authorized users help me to filter results per user based on the authentication of the user. The problem that I have to a pass always a parameter to the SOLR Server with userid={xyz} which one can figure out from the SOLR URL(ajax call url) using Firebug tool in the Net Console on Firefox and can change this parameter value to see others records which he/she is not authorized. Basically it is Cross Site Scripting Issue. I have read about some approaches for Solr Security like Nginx with Jetty & .htaccess based security.Overall what i understand from this is that we can restrict users to do update/delete operations on SOLR as well as we can restrict the SOLR admin interface to certain IPs also. But How can I restrict the {solr-server}/solr/select based results from access by different user id's ?