lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject RE: Security Questions on Solr & Tomcat 6
Date Tue, 04 May 2010 09:57:57 GMT
How low-tech do you want to go?

For example, you can run solr under an entirely different instance of tomcat, listening on
a different port.  You can configure (via server.xml) the instance to only accept connections
from the local machine.  Your application, which is happily running on a different port on
a different tomcat instance, can be thus open and session protected.  Your application will
have no trouble communicating with SOLR via http if it runs on the same physical machine as
your SOLR tomcat instance.

It's even possible that a single tomcat instance can be configured to listen on both (differently
configured) ports simultaneously - but that's not really good practice anyhow.

If I recall, the place where you restrict what the sources of your allowed connections are
is the tag in server.xml that describes the port that tomcat listens on.  There's an optional
"source" attribute, which if "*" means everyone, but if "" means only localhost.


From: ext Matthew Mauriello []
Sent: Monday, May 03, 2010 10:03 PM
Subject: Security Questions on Solr & Tomcat 6

Hello All,

I am really hoping for a little help on securing my SOLR instance in
Tomcat 6. I am not really having any luck using BASIC authorization on
Tomcat as everything seems to shut down with a 404 when I implement it. I
have looked into the SOLR wiki about securing the application but I can't
seem to make sense of anything for my situation. The tutorials I have
found on Google usual result in the 404 error or the server not starting.

Essentially I have a Tomcat 6 server running on Windows in its most basic
settings. I created a self signed certificate and setup SSL. In the
webapps/ROOT web folder I do a redirect to my webapps/SOLR folder. In this
folder I have all of my web application files and I have considered moving
non-solr files out of there but I haven't been able to come up with a
solution yet so I haven't done it but I am thinking it might be required.

In the SOLR folder I am using JavaBridge software so that I can write in
PHP. So I have jsp pages and php pages running together just fine and I
went through the solr jsp pages and added session security checks there
without a problem. I setup the web application so that it communicates
with MySQL. My application is secured using java session variables.
Everything work as expected when not using SOLR. The application handles
user and uploaded document management.

The problem is Solr is not secure, so without logging in a user can browse
to the solr directory and then execute select, update, admin, etc... I
would like to be able to have SOLR check session variables before
processing the request. I looked at creating a custom request handler but
I could not find a very good example of how that works.

If anyone has any suggestions, tutorials, or general information that
might help I would be very appreciative.

Thank you for your time,

~Matt Mauriello

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message