lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthew Mauriello" <mm578...@albany.edu>
Subject RE: Security Questions on Solr & Tomcat 6
Date Tue, 04 May 2010 16:33:39 GMT
Karl/ALL,

Thanks for the response, my comments are inline below.

> How low-tech do you want to go?

The system does not really have to do much, there might be a total of 12
users and we just want to keep things as simple as possible because the
next people to do any work on the system will just be following the manual
I write and likely won't have much in the way of technical skills.

> For example, you can run solr under an entirely different instance of
> tomcat, listening on a different port.  You can configure (via server.xml)
> the instance to only accept connections from the local machine.  Your
> application, which is happily running on a different port on a different
> tomcat instance, can be thus open and session protected.  Your application
> will have no trouble communicating with SOLR via http if it runs on the
> same physical machine as your SOLR tomcat instance.

Can you explain this localhost restriction thing? If I restrict it to
localhost only would users on the internet still be able to access the
solr instance? Would the application have to make the request and pass
back the results to the external user?

Thanks again,

~Matt

> How low-tech do you want to go?
>
> For example, you can run solr under an entirely different instance of
> tomcat, listening on a different port.  You can configure (via server.xml)
> the instance to only accept connections from the local machine.  Your
> application, which is happily running on a different port on a different
> tomcat instance, can be thus open and session protected.  Your application
> will have no trouble communicating with SOLR via http if it runs on the
> same physical machine as your SOLR tomcat instance.
>
> It's even possible that a single tomcat instance can be configured to
> listen on both (differently configured) ports simultaneously - but that's
> not really good practice anyhow.
>
> If I recall, the place where you restrict what the sources of your allowed
> connections are is the tag in server.xml that describes the port that
> tomcat listens on.  There's an optional "source" attribute, which if "*"
> means everyone, but if "127.0.0.1" means only localhost.
>
> Karl
>
> ________________________________________
> From: ext Matthew Mauriello [mm578679@albany.edu]
> Sent: Monday, May 03, 2010 10:03 PM
> To: dev@lucene.apache.org
> Subject: Security Questions on Solr & Tomcat 6
>
> Hello All,
>
> I am really hoping for a little help on securing my SOLR instance in
> Tomcat 6. I am not really having any luck using BASIC authorization on
> Tomcat as everything seems to shut down with a 404 when I implement it. I
> have looked into the SOLR wiki about securing the application but I can't
> seem to make sense of anything for my situation. The tutorials I have
> found on Google usual result in the 404 error or the server not starting.
>
> Essentially I have a Tomcat 6 server running on Windows in its most basic
> settings. I created a self signed certificate and setup SSL. In the
> webapps/ROOT web folder I do a redirect to my webapps/SOLR folder. In this
> folder I have all of my web application files and I have considered moving
> non-solr files out of there but I haven't been able to come up with a
> solution yet so I haven't done it but I am thinking it might be required.
>
> In the SOLR folder I am using JavaBridge software so that I can write in
> PHP. So I have jsp pages and php pages running together just fine and I
> went through the solr jsp pages and added session security checks there
> without a problem. I setup the web application so that it communicates
> with MySQL. My application is secured using java session variables.
> Everything work as expected when not using SOLR. The application handles
> user and uploaded document management.
>
> The problem is Solr is not secure, so without logging in a user can browse
> to the solr directory and then execute select, update, admin, etc... I
> would like to be able to have SOLR check session variables before
> processing the request. I looked at creating a custom request handler but
> I could not find a very good example of how that works.
>
> If anyone has any suggestions, tutorials, or general information that
> might help I would be very appreciative.
>
> Thank you for your time,
>
> ~Matt Mauriello
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
> For additional commands, e-mail: dev-help@lucene.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
> For additional commands, e-mail: dev-help@lucene.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message