lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Hostetter <>
Subject Re: form handling and query syntax
Date Thu, 25 Jan 2007 23:03:24 GMT

: 2) Submit to a different servlet of my own design, which interprets the
: form input, forms the Lucene query string, adds it to a SOLR request
: URL, gets the output of the REST response and does something with it,
: probably doing an XSLT transformation.  This method resembles how my old
: app works, and while it's certainly possible, it requires maintaining a
: separate servlet, and it represents the kind of complexity I'm trying to
: get away from.

#2 is the mehtod i would normally recommend for most people.  Solr makes
no attempt at being a "secure" sservice -- if you let users in the wild
talk to your Solr server directly you run the risk that they may attempt
to do things you don't want them to do.  Solr has no idea what kinds of
things you want to allow, only you do: putting an application in front of
your Solr instance that knows what you want to allow/disallow is how you
enforce your wishes.

See also this comment i made regarding a similar question...

: 3) Write a custom class which extends SolrRequestHandler.  Basically,
: this handler is going to compare the request parameters to the fields
: specified in the schema.xml document, and where the name of a form input
: and a field name match, form the query from those request parameters. It
: seems like the most elegant solution, and while I'll have to write
: custom code, most of the complexity will be farmed out to SOLR.

this is a perfectly valid approach, and something i've done quite a bit at
work -- but there i'm providing a web-service-ish API to *trusted* clients
... not to end users.


View raw message