Erick, I think that should be described differently... You need to set-up protected access for some paths. /update is one of them. And you could make this protected at the jetty level or using Apache proxies and rewrites.
Probably /select should be kept open but you need to evaluate if that can get you in DoS attacks if there are too big selects. If that is the case, you're left to programme an interface all by yourself which limits and fetches from solr, or which lives inside solr (a query component) and throws if things are too big. paul Le 7 sept. 2012 à 07:00, Erick Erickson a écrit : > Securing Solr pretty much universally requires that you only allow trusted > clients to access the machines directly, usually secured with a firewall > and allowed IP addresses, the admin handler is the least of your worries. > > Consider if you let me ping solr directly, I can do something really > annoying like: > http://localhost:8983/solr/update?stream.body=<delete><query>office:Bridgewater</query></delete> > > Best > Erick > > On Wed, Sep 5, 2012 at 2:51 AM, Paul Codman <snoozes...@gmail.com> wrote: >> First time Solr user and I am loving it! I have a standard Solr 4 set up >> running under Jetty. The instructions in the Wiki do not seem to apply to >> Solr 4 (eg mortbay references / section to uncomment not present in xml >> file / etc) - could someone please advise on steps required to secure Solr >> 4 and can someone confirm that security operates in relation to new Admin >> interface. Thanks in advance.
