bneigher bneigher -4 years ago 106
Apache Configuration Question

Securing Update and Delete queries in Solr

I have a website that displays product information using Solr, and it is managed via the URL. I am curious as to how I would go about preventing regular users from updating or deleting my Apache Solr documents via the URL. I want to get it so only admins can submit these queries.

I would assume that there is a way to have a username and password verify that an arbitrary user is an admin, thus allowing for the URL request to modify data. This is useful, but the problem is that I don't want users from the website UI to even have the opportunity to see the log-in message in the event that someone enters a query into the URL.

Does anyone know of a solution for this / done something similar?

Answer Source

1) One solution would be to run SOLR on a different port (say 8081) and have your OS firewall block requests to port 8081 excluding the public IP of machine that you will using to manage the admin, allowing just you local machine to access 8081.

This is the firewall configuration I'm using in IPTABLES on my CentOS machine

-A INPUT -p tcp --dport 8081 -s 111.222.333.444 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 8081 -j DROP

And to secure the admin further I added the following security-constraint to web.xml with DIGEST auth-method

<security-constraint> 
    <web-resource-collection> 
        <web-resource-name>Admin</web-resource-name> 
        <url-pattern>/admin/*</url-pattern> 
        <url-pattern>/admin.html</url-pattern>
    </web-resource-collection>
    <auth-constraint> 
        <role-name>admin</role-name> 
    </auth-constraint>
</security-constraint> 

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Admin images</web-resource-name>
        <url-pattern>*.png</url-pattern>
    </web-resource-collection>
    <auth-contraint>
        <role-name>admin</role-name>
    </auth-contraint>
</security-constraint>

<login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>secure</realm-name>
</login-config>

2) Another option would be to just add the above security-constraint for two different roles i.e. user and admin. User's with user role will be able to access just the select url-pattern and users with admin role will be able to access the admin url-pattern.

I would recommend using DIGEST authentication because BASIC authentication can easily be spoofed by attackers.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download