Hi, There is nothing stopping you from pointing Ajax-SOLR to a URL on your app-server, which acts as a security insulation layer between the Solr backend and the world. In this (thin) layer you can analyze the input and choose carefully what to let through and not.
-- Jan Høydahl, search solution architect Cominvent AS - www.facebook.com/Cominvent Solr Training - www.solrtraining.com On 11. mai 2012, at 06:37, Anupam Bhattacharya wrote: > Yes, I agree with you. > > But Ajax-SOLR Framework doesn't fit in that manner. Any alternative > solution ? > > Anupam > > On Fri, May 11, 2012 at 9:41 AM, Klostermeyer, Michael < > mklosterme...@riskexchange.com> wrote: > >> Instead of hitting the Solr server directly from the client, I think I >> would go through your application server, which would have access to all >> the users data and can forward that to the Solr server, thereby hiding it >> from the client. >> >> Mike >> >> >> -----Original Message----- >> From: Anupam Bhattacharya [mailto:anupam...@gmail.com] >> Sent: Thursday, May 10, 2012 9:53 PM >> To: solr-user@lucene.apache.org >> Subject: SOLR Security >> >> I am using Ajax-Solr Framework for creating a search interface. The search >> interface works well. >> In my case, the results have document level security so by even indexing >> records with there authorized users help me to filter results per user >> based on the authentication of the user. >> >> The problem that I have to a pass always a parameter to the SOLR Server >> with userid={xyz} which one can figure out from the SOLR URL(ajax call url) >> using Firebug tool in the Net Console on Firefox and can change this >> parameter value to see others records which he/she is not authorized. >> Basically it is Cross Site Scripting Issue. >> >> I have read about some approaches for Solr Security like Nginx with Jetty >> & .htaccess based security.Overall what i understand from this is that we >> can restrict users to do update/delete operations on SOLR as well as we can >> restrict the SOLR admin interface to certain IPs also. But How can I >> restrict the {solr-server}/solr/select based results from access by >> different user id's ? >>