in fact, there's a sample proxy.php on the ajax-solr web page which can easily be modified into a security layer. my solr servers only listen to requests issued by a narrow list of systems, and everything gets routed through a modified copy of the proxy.php file, which checks whether the user is logged in, and adds terms to the query to limit returned results to those the user is permitted to see.
-----Original Message----- From: Jan Høydahl [mailto:j...@hoydahl.no] Sent: Fri 5/11/2012 9:45 AM To: solr-user@lucene.apache.org Subject: Re: SOLR Security Hi, There is nothing stopping you from pointing Ajax-SOLR to a URL on your app-server, which acts as a security insulation layer between the Solr backend and the world. In this (thin) layer you can analyze the input and choose carefully what to let through and not. -- Jan Høydahl, search solution architect Cominvent AS - www.facebook.com/Cominvent Solr Training - www.solrtraining.com On 11. mai 2012, at 06:37, Anupam Bhattacharya wrote: > Yes, I agree with you. > > But Ajax-SOLR Framework doesn't fit in that manner. Any alternative > solution ? > > Anupam > > On Fri, May 11, 2012 at 9:41 AM, Klostermeyer, Michael < > mklosterme...@riskexchange.com> wrote: > >> Instead of hitting the Solr server directly from the client, I think I >> would go through your application server, which would have access to all >> the users data and can forward that to the Solr server, thereby hiding it >> from the client. >> >> Mike >> >> >> -----Original Message----- >> From: Anupam Bhattacharya [mailto:anupam...@gmail.com] >> Sent: Thursday, May 10, 2012 9:53 PM >> To: solr-user@lucene.apache.org >> Subject: SOLR Security >> >> I am using Ajax-Solr Framework for creating a search interface. The search >> interface works well. >> In my case, the results have document level security so by even indexing >> records with there authorized users help me to filter results per user >> based on the authentication of the user. >> >> The problem that I have to a pass always a parameter to the SOLR Server >> with userid={xyz} which one can figure out from the SOLR URL(ajax call url) >> using Firebug tool in the Net Console on Firefox and can change this >> parameter value to see others records which he/she is not authorized. >> Basically it is Cross Site Scripting Issue. >> >> I have read about some approaches for Solr Security like Nginx with Jetty >> & .htaccess based security.Overall what i understand from this is that we >> can restrict users to do update/delete operations on SOLR as well as we can >> restrict the SOLR admin interface to certain IPs also. But How can I >> restrict the {solr-server}/solr/select based results from access by >> different user id's ? >>