How to secure Solr to allow SELECT request to only users and disallow anything else?

Question

This is what I have done so far to secure my SOLR application.

In SOLR's web.xml file I'm trying to do the following

• Allow /select request to only user or admin requests.
• Disallow every other request to SOLR other then admin.

I've added security constraints to SOLR's web.xml file

<security-constraint> 
    <web-resource-collection> 
        <web-resource-name>Solr Admin</web-resource-name> 
        <url-pattern>/*</url-pattern> 
    </web-resource-collection>
    <auth-constraint> 
        <role-name>admin</role-name> 
    </auth-constraint>
</security-constraint> 
<security-constraint> 
    <web-resource-collection> 
        <web-resource-name>Public</web-resource-name> 
        <url-pattern>/primary/select/*</url-pattern> 
        <url-pattern>/reindex/select/*</url-pattern> 
    </web-resource-collection>
    <auth-constraint>
        <role-name>user</role-name>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

This is how I'm instantiating SOLR HTTP connection in my client application

//primary core
HttpSolrServer primaryindex = new HttpSolrServer(serverUrl + "/" + PRIMARYINDEX);
    HttpClientUtil.setBasicAuth((DefaultHttpClient) primaryindex.getHttpClient(), "user", "user");

//reindex core
HttpSolrServer reindex = new HttpSolrServer(serverUrl + "/" + REINDEX);
    HttpClientUtil.setBasicAuth((DefaultHttpClient) reindex.getHttpClient(), "user", "user");

tomcat-users.xml file has the roles and users set as following

<role rolename="user"/>
<user username="user" password="user" roles="user"/>
<user password="admin" roles="manager-script,admin" username="admin"/>

The above is working perfect. Obviously in production I will have more stronger username and password.

Question

Is there anything else I need to secure my SOLR instances or will the above is enough ? I've got 1 instance of Tomcat 7 which runs the Client application and SOLR application. This is what I'm trying to achieve.

• Don't want to allow anyone to log into admin without a username and password
• Don't want anyone to access core's other then my client application

I can add Spring security to SOLR on top of the above but is that necessary ?

Answer 1

I didn't know that /admin was the context for SOLR admin because /admin does not really show up in the URL. But adding security-contraints for /admin in web.xml secured the admin application.

<security-constraint> 
    <web-resource-collection> 
        <web-resource-name>Admin</web-resource-name> 
        <url-pattern>/admin/*</url-pattern> 
        <url-pattern>/admin.html</url-pattern> 
    </web-resource-collection>
    <auth-constraint> 
        <role-name>admin</role-name> 
    </auth-constraint>
</security-constraint> 

<security-constraint>
    <!-- This one is necessary to show the image on the Solr start page -->
    <web-resource-collection>
        <web-resource-name>Admin images</web-resource-name>
        <url-pattern>*.png</url-pattern>
    </web-resource-collection>
    <auth-contraint>
        <role-name>admin</role-name>
    </auth-contraint>
</security-constraint>

<login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>admin</realm-name>
</login-config> 

Answer 2

If you have the replication handler enabled, be sure to put it behind one of the secured roles. Another thing I've seen people do is run admin on a different port. It's best to use SSL on pages that require auth so you're not sending passwords in-the-clear, so admin and replication will happen on, say, 8443, whereas regular queries will happen on 8080.

If you're going to be signing your own cert, check out this helpful SO page:

How can I use different certificates on specific connections?