Yes, I agree with you. But Ajax-SOLR Framework doesn't fit in that manner. Any alternative solution ?
Anupam On Fri, May 11, 2012 at 9:41 AM, Klostermeyer, Michael < mklosterme...@riskexchange.com> wrote: > Instead of hitting the Solr server directly from the client, I think I > would go through your application server, which would have access to all > the users data and can forward that to the Solr server, thereby hiding it > from the client. > > Mike > > > -----Original Message----- > From: Anupam Bhattacharya [mailto:anupam...@gmail.com] > Sent: Thursday, May 10, 2012 9:53 PM > To: solr-user@lucene.apache.org > Subject: SOLR Security > > I am using Ajax-Solr Framework for creating a search interface. The search > interface works well. > In my case, the results have document level security so by even indexing > records with there authorized users help me to filter results per user > based on the authentication of the user. > > The problem that I have to a pass always a parameter to the SOLR Server > with userid={xyz} which one can figure out from the SOLR URL(ajax call url) > using Firebug tool in the Net Console on Firefox and can change this > parameter value to see others records which he/she is not authorized. > Basically it is Cross Site Scripting Issue. > > I have read about some approaches for Solr Security like Nginx with Jetty > & .htaccess based security.Overall what i understand from this is that we > can restrict users to do update/delete operations on SOLR as well as we can > restrict the SOLR admin interface to certain IPs also. But How can I > restrict the {solr-server}/solr/select based results from access by > different user id's ? >
