Why not do this in a ServletFilter? Alternatively, I'd just write a front end application servlet to do this so that you don't firewall your internal admins off from accessing the core Solr admin pages. I guess you could solve this using some form of security but I don't know this well enough.
If I were to restrict access to certain parts of Solr, I'd do this outside of Solr itself and do this in a servlet or a filter, inspecting the parameters. It's easy to create a "modifiable" parameters class and populate that with acceptable parameters before the Solr filter operates on it. HTH Amit On Tue, Nov 6, 2012 at 6:46 AM, Lee Carroll <lee.a.carr...@googlemail.com>wrote: > Hi we are extending SearchHandler to provide a custom search request > handler. Basically we've added NamedLists called allowed , whiteList, > maxMinList etc. > > These look like the default, append and invariant namedLists in the > standard search handler config. In handleRequestBody we then remove params > not listed in the allowed named list, white list values as per the white > list and so on. > > The idea is to have a "safe" request handler which the big bad world could > be exposed to. I'm worried. What have we missed that a front end app could > give us ? > > Also removing params in SolrParams is a bit clunky. We are basically > converting SolrParams into NamedList processing a new NamedList from this > and then .setParams(SolrParams.toSolrParams(nlNew)) Is their a better way? > In particular namedLists are not set up for key look ups... > > Anyway basically is having a custom request handler doing the above the way > to go ? > > Cheers >