lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthew Mauriello" <>
Subject Security Questions on Solr & Tomcat 6
Date Tue, 04 May 2010 02:03:54 GMT
Hello All,

I am really hoping for a little help on securing my SOLR instance in
Tomcat 6. I am not really having any luck using BASIC authorization on
Tomcat as everything seems to shut down with a 404 when I implement it. I
have looked into the SOLR wiki about securing the application but I can't
seem to make sense of anything for my situation. The tutorials I have
found on Google usual result in the 404 error or the server not starting.

Essentially I have a Tomcat 6 server running on Windows in its most basic
settings. I created a self signed certificate and setup SSL. In the
webapps/ROOT web folder I do a redirect to my webapps/SOLR folder. In this
folder I have all of my web application files and I have considered moving
non-solr files out of there but I haven't been able to come up with a
solution yet so I haven't done it but I am thinking it might be required.

In the SOLR folder I am using JavaBridge software so that I can write in
PHP. So I have jsp pages and php pages running together just fine and I
went through the solr jsp pages and added session security checks there
without a problem. I setup the web application so that it communicates
with MySQL. My application is secured using java session variables.
Everything work as expected when not using SOLR. The application handles
user and uploaded document management.

The problem is Solr is not secure, so without logging in a user can browse
to the solr directory and then execute select, update, admin, etc... I
would like to be able to have SOLR check session variables before
processing the request. I looked at creating a custom request handler but
I could not find a very good example of how that works.

If anyone has any suggestions, tutorials, or general information that
might help I would be very appreciative.

Thank you for your time,

~Matt Mauriello

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message