Thanks for the suggestions. I tried to use SolrJ within my Servlet. Although the SolrJ QueryResponse is not returning a well formed Json Object. I need the Json String with quotes as below. although QueryResponse.toString() doesn't return json with quotes at all.
jsonp1337064466204({"responseHeader":{"status":0,"QTime":0,"params":{"json.wrf":"jsonp1337064466204","facet":"true","facet.mincount":"1","q":"*:*","facet.limit":"-1","json.nl":"map","facet.field":["title","abstract"],"wt":"json","rows":"0"}},"response":{"numFound":0,"start":0,"docs":[]},"facet_counts":{"facet_queries":{},"facet_fields":{"title":{},"abstract":{}},"facet_dates":{},"facet_ranges":{}}}) Regards Anupam On Fri, May 11, 2012 at 7:56 PM, Welty, Richard <rwe...@ltionline.com>wrote: > in fact, there's a sample proxy.php on the ajax-solr web page which can > easily be modified into a security layer. my solr servers only listen to > requests issued by a narrow list of systems, and everything gets routed > through a modified copy of the proxy.php file, which checks whether the > user is logged in, and adds terms to the query to limit returned results to > those the user is permitted to see. > > > -----Original Message----- > From: Jan Høydahl [mailto:j...@hoydahl.no] > Sent: Fri 5/11/2012 9:45 AM > To: solr-user@lucene.apache.org > Subject: Re: SOLR Security > > Hi, > > There is nothing stopping you from pointing Ajax-SOLR to a URL on your > app-server, which acts as a security insulation layer between the Solr > backend and the world. In this (thin) layer you can analyze the input and > choose carefully what to let through and not. > > -- > Jan Høydahl, search solution architect > Cominvent AS - www.facebook.com/Cominvent > Solr Training - www.solrtraining.com > > On 11. mai 2012, at 06:37, Anupam Bhattacharya wrote: > > > Yes, I agree with you. > > > > But Ajax-SOLR Framework doesn't fit in that manner. Any alternative > > solution ? > > > > Anupam > > > > On Fri, May 11, 2012 at 9:41 AM, Klostermeyer, Michael < > > mklosterme...@riskexchange.com> wrote: > > > >> Instead of hitting the Solr server directly from the client, I think I > >> would go through your application server, which would have access to all > >> the users data and can forward that to the Solr server, thereby hiding > it > >> from the client. > >> > >> Mike > >> > >> > >> -----Original Message----- > >> From: Anupam Bhattacharya [mailto:anupam...@gmail.com] > >> Sent: Thursday, May 10, 2012 9:53 PM > >> To: solr-user@lucene.apache.org > >> Subject: SOLR Security > >> > >> I am using Ajax-Solr Framework for creating a search interface. The > search > >> interface works well. > >> In my case, the results have document level security so by even indexing > >> records with there authorized users help me to filter results per user > >> based on the authentication of the user. > >> > >> The problem that I have to a pass always a parameter to the SOLR Server > >> with userid={xyz} which one can figure out from the SOLR URL(ajax call > url) > >> using Firebug tool in the Net Console on Firefox and can change this > >> parameter value to see others records which he/she is not authorized. > >> Basically it is Cross Site Scripting Issue. > >> > >> I have read about some approaches for Solr Security like Nginx with > Jetty > >> & .htaccess based security.Overall what i understand from this is that > we > >> can restrict users to do update/delete operations on SOLR as well as we > can > >> restrict the SOLR admin interface to certain IPs also. But How can I > >> restrict the {solr-server}/solr/select based results from access by > >> different user id's ? > >> > > > >