This is what I have done so far to secure my SOLR application.
In SOLR's web.xml file I'm trying to do the following
- Allow /select request to only user or admin requests.
- Disallow every other request to SOLR other then admin.
I've added security constraints to SOLR's web.xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr Admin</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<url-pattern>/primary/select/*</url-pattern>
<url-pattern>/reindex/select/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
This is how I'm instantiating SOLR HTTP connection in my client application
//primary core
HttpSolrServer primaryindex = new HttpSolrServer(serverUrl + "/" + PRIMARYINDEX);
HttpClientUtil.setBasicAuth((DefaultHttpClient) primaryindex.getHttpClient(), "user", "user");
//reindex core
HttpSolrServer reindex = new HttpSolrServer(serverUrl + "/" + REINDEX);
HttpClientUtil.setBasicAuth((DefaultHttpClient) reindex.getHttpClient(), "user", "user");
tomcat-users.xml file has the roles and users set as following
<role rolename="user"/>
<user username="user" password="user" roles="user"/>
<user password="admin" roles="manager-script,admin" username="admin"/>
The above is working perfect. Obviously in production I will have more stronger username and password.
Question
Is there anything else I need to secure my SOLR instances or will the above is enough ? I've got 1 instance of Tomcat 7 which runs the Client application and SOLR application. This is what I'm trying to achieve.
- Don't want to allow anyone to log into admin without a username and password
- Don't want anyone to access core's other then my client application
I can add Spring security to SOLR on top of the above but is that necessary ?