First and foremost, Solr does not concern itself with security either at the document level or the communication level. It is strongly recommended that the application server containing Solr be firewalled such the only clients with access to Solr are your own. A default/example installation of Solr allows any client with access to it to add, update, and delete documents (and of course search/read too), including access to the Solr configuration and schema files and the administrative user interface.
Besides limiting port access to the Solr server, standard Java web security can be added by tuning the container and the Solr web application configuration itself via web.xml. For example, all /update URLs could require HTTP authentication.
Security-related questions:
Q: Does Solr contain any known cross-site scripting vulnerabilities? A: No.
Path Based Authentication
TODO - include web.xml example...
Using path based request handlers with "appends" and "invariants" is a nice way to expose some data without allowing any query. Consider:
<requestHandler name="/instock" class="solr.DisMaxRequestHandler" >
<lst name="appends">
<str name="fq">inStock:true</str>
</lst>
<lst name="invariants">
<str name="facet.field">cat</str>
</lst>
</requestHandler>
Document Level Security
Although Solr does not directly support Document level security, the SolrRequestHandler framework is easy to configure for your specific needs. ( NOTE: XmlUpdateRequestHandler needs to be refactored so that documents are added one document at a time in an easily overrideable way. SOLR-133 includes work in this direction).
If you need permission based authentication -- where user A can update document 1 and 2, but not 3 -- you will need to augment the request with user information. Either you can add parameters to the query string (?u=XXX&p=YYY) or use a custom dispatcher filter that augments the context:
public class CustomDispatchFilter extends SolrDispatchFilter
{
@Override
protected void execute( HttpServletRequest req, SolrRequestHandler handler, SolrQueryRequest sreq, SolrQueryResponse rsp)
{
// perhaps the whole request
sreq.getContext().put( "HttpServletRequest", req );
// or maybe just the user
sreq.getContext().put( "user", req.getRemoteUser());
core.execute( handler, sreq, rsp );
}
}
public class AuthenticatingHandler extends RequestHandlerBase
{
@Override
public void handleRequestBody(SolrQueryRequest req, SolrQueryResponse rsp) throws Exception {
HttpServletRequest httpreq = (HttpServletRequest)
req.getContext().get( "HttpServletRequest" );
if( httpreq.isUserInRole( "editor" ) ) {
...
}
String user = (String)req.getContext().get( "user" );
...
}
...
}
Streaming Consideration
If streaming is enabled, you need to make sure solr is as secure as it needs to be. When streaming is enabled, the parameters "stream.url" will go to a remote site and download the content. Likewise, "stream.file" will read a file on disk.
Streaming is disabled by default and is configured from solrconfig.xml
<requestParsers enableRemoteStreaming="false" ... />