SOLR Security

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

SOLR Security

Anupam Bhattacharya
I am using Ajax-Solr Framework for creating a search interface. The search
interface works well.
In my case, the results have document level security so by even indexing
records with there authorized users help me to filter results per user
based on the authentication of the user.

The problem that I have to a pass always a parameter to the SOLR Server
with userid={xyz} which one can figure out from the SOLR URL(ajax call url)
using Firebug tool in the Net Console on Firefox and can change this
parameter value to see others records which he/she is not authorized.
Basically it is Cross Site Scripting Issue.

I have read about some approaches for Solr Security like Nginx with Jetty &
.htaccess based security.Overall what i understand from this is that we can
restrict users to do update/delete operations on SOLR as well as we can
restrict the SOLR admin interface to certain IPs also. But How can I
restrict the {solr-server}/solr/select based results from access by
different user id's ?
Reply | Threaded
Open this post in threaded view
|

RE: SOLR Security

mkloster
Instead of hitting the Solr server directly from the client, I think I would go through your application server, which would have access to all the users data and can forward that to the Solr server, thereby hiding it from the client.

Mike


-----Original Message-----
From: Anupam Bhattacharya [mailto:[hidden email]]
Sent: Thursday, May 10, 2012 9:53 PM
To: [hidden email]
Subject: SOLR Security

I am using Ajax-Solr Framework for creating a search interface. The search interface works well.
In my case, the results have document level security so by even indexing records with there authorized users help me to filter results per user based on the authentication of the user.

The problem that I have to a pass always a parameter to the SOLR Server with userid={xyz} which one can figure out from the SOLR URL(ajax call url) using Firebug tool in the Net Console on Firefox and can change this parameter value to see others records which he/she is not authorized.
Basically it is Cross Site Scripting Issue.

I have read about some approaches for Solr Security like Nginx with Jetty & .htaccess based security.Overall what i understand from this is that we can restrict users to do update/delete operations on SOLR as well as we can restrict the SOLR admin interface to certain IPs also. But How can I restrict the {solr-server}/solr/select based results from access by different user id's ?
Reply | Threaded
Open this post in threaded view
|

Re: SOLR Security

Anupam Bhattacharya
Yes, I agree with you.

But Ajax-SOLR Framework doesn't fit in that manner. Any alternative
solution ?

Anupam

On Fri, May 11, 2012 at 9:41 AM, Klostermeyer, Michael <
[hidden email]> wrote:

> Instead of hitting the Solr server directly from the client, I think I
> would go through your application server, which would have access to all
> the users data and can forward that to the Solr server, thereby hiding it
> from the client.
>
> Mike
>
>
> -----Original Message-----
> From: Anupam Bhattacharya [mailto:[hidden email]]
> Sent: Thursday, May 10, 2012 9:53 PM
> To: [hidden email]
> Subject: SOLR Security
>
> I am using Ajax-Solr Framework for creating a search interface. The search
> interface works well.
> In my case, the results have document level security so by even indexing
> records with there authorized users help me to filter results per user
> based on the authentication of the user.
>
> The problem that I have to a pass always a parameter to the SOLR Server
> with userid={xyz} which one can figure out from the SOLR URL(ajax call url)
> using Firebug tool in the Net Console on Firefox and can change this
> parameter value to see others records which he/she is not authorized.
> Basically it is Cross Site Scripting Issue.
>
> I have read about some approaches for Solr Security like Nginx with Jetty
> & .htaccess based security.Overall what i understand from this is that we
> can restrict users to do update/delete operations on SOLR as well as we can
> restrict the SOLR admin interface to certain IPs also. But How can I
> restrict the {solr-server}/solr/select based results from access by
> different user id's ?
>
Reply | Threaded
Open this post in threaded view
|

Re: SOLR Security

Jan Høydahl-3
Hi,

There is nothing stopping you from pointing Ajax-SOLR to a URL on your app-server, which acts as a security insulation layer between the Solr backend and the world. In this (thin) layer you can analyze the input and choose carefully what to let through and not.

--
Jan Høydahl, search solution architect
Cominvent AS - www.facebook.com/Cominvent
Solr Training - www.solrtraining.com

On 11. mai 2012, at 06:37, Anupam Bhattacharya wrote:

> Yes, I agree with you.
>
> But Ajax-SOLR Framework doesn't fit in that manner. Any alternative
> solution ?
>
> Anupam
>
> On Fri, May 11, 2012 at 9:41 AM, Klostermeyer, Michael <
> [hidden email]> wrote:
>
>> Instead of hitting the Solr server directly from the client, I think I
>> would go through your application server, which would have access to all
>> the users data and can forward that to the Solr server, thereby hiding it
>> from the client.
>>
>> Mike
>>
>>
>> -----Original Message-----
>> From: Anupam Bhattacharya [mailto:[hidden email]]
>> Sent: Thursday, May 10, 2012 9:53 PM
>> To: [hidden email]
>> Subject: SOLR Security
>>
>> I am using Ajax-Solr Framework for creating a search interface. The search
>> interface works well.
>> In my case, the results have document level security so by even indexing
>> records with there authorized users help me to filter results per user
>> based on the authentication of the user.
>>
>> The problem that I have to a pass always a parameter to the SOLR Server
>> with userid={xyz} which one can figure out from the SOLR URL(ajax call url)
>> using Firebug tool in the Net Console on Firefox and can change this
>> parameter value to see others records which he/she is not authorized.
>> Basically it is Cross Site Scripting Issue.
>>
>> I have read about some approaches for Solr Security like Nginx with Jetty
>> & .htaccess based security.Overall what i understand from this is that we
>> can restrict users to do update/delete operations on SOLR as well as we can
>> restrict the SOLR admin interface to certain IPs also. But How can I
>> restrict the {solr-server}/solr/select based results from access by
>> different user id's ?
>>

Reply | Threaded
Open this post in threaded view
|

RE: SOLR Security

Welty, Richard
in fact, there's a sample proxy.php on the ajax-solr web page which can easily be modified into a security layer. my solr servers only listen to requests issued by a narrow list of systems, and everything gets routed through a modified copy of the proxy.php file, which checks whether the user is logged in, and adds terms to the query to limit returned results to those the user is permitted to see.


-----Original Message-----
From: Jan Høydahl [mailto:[hidden email]]
Sent: Fri 5/11/2012 9:45 AM
To: [hidden email]
Subject: Re: SOLR Security
 
Hi,

There is nothing stopping you from pointing Ajax-SOLR to a URL on your app-server, which acts as a security insulation layer between the Solr backend and the world. In this (thin) layer you can analyze the input and choose carefully what to let through and not.

--
Jan Høydahl, search solution architect
Cominvent AS - www.facebook.com/Cominvent
Solr Training - www.solrtraining.com

On 11. mai 2012, at 06:37, Anupam Bhattacharya wrote:

> Yes, I agree with you.
>
> But Ajax-SOLR Framework doesn't fit in that manner. Any alternative
> solution ?
>
> Anupam
>
> On Fri, May 11, 2012 at 9:41 AM, Klostermeyer, Michael <
> [hidden email]> wrote:
>
>> Instead of hitting the Solr server directly from the client, I think I
>> would go through your application server, which would have access to all
>> the users data and can forward that to the Solr server, thereby hiding it
>> from the client.
>>
>> Mike
>>
>>
>> -----Original Message-----
>> From: Anupam Bhattacharya [mailto:[hidden email]]
>> Sent: Thursday, May 10, 2012 9:53 PM
>> To: [hidden email]
>> Subject: SOLR Security
>>
>> I am using Ajax-Solr Framework for creating a search interface. The search
>> interface works well.
>> In my case, the results have document level security so by even indexing
>> records with there authorized users help me to filter results per user
>> based on the authentication of the user.
>>
>> The problem that I have to a pass always a parameter to the SOLR Server
>> with userid={xyz} which one can figure out from the SOLR URL(ajax call url)
>> using Firebug tool in the Net Console on Firefox and can change this
>> parameter value to see others records which he/she is not authorized.
>> Basically it is Cross Site Scripting Issue.
>>
>> I have read about some approaches for Solr Security like Nginx with Jetty
>> & .htaccess based security.Overall what i understand from this is that we
>> can restrict users to do update/delete operations on SOLR as well as we can
>> restrict the SOLR admin interface to certain IPs also. But How can I
>> restrict the {solr-server}/solr/select based results from access by
>> different user id's ?
>>


Reply | Threaded
Open this post in threaded view
|

Re: SOLR Security

Anupam Bhattacharya
Thanks for the suggestions.

I tried to use SolrJ within my Servlet. Although the SolrJ QueryResponse is
not returning a well formed Json Object.
I need the Json String with quotes as below. although
QueryResponse.toString() doesn't  return json with quotes at all.

jsonp1337064466204({"responseHeader":{"status":0,"QTime":0,"params":{"json.wrf":"jsonp1337064466204","facet":"true","facet.mincount":"1","q":"*:*","facet.limit":"-1","json.nl":"map","facet.field":["title","abstract"],"wt":"json","rows":"0"}},"response":{"numFound":0,"start":0,"docs":[]},"facet_counts":{"facet_queries":{},"facet_fields":{"title":{},"abstract":{}},"facet_dates":{},"facet_ranges":{}}})

Regards

Anupam


On Fri, May 11, 2012 at 7:56 PM, Welty, Richard <[hidden email]>wrote:

> in fact, there's a sample proxy.php on the ajax-solr web page which can
> easily be modified into a security layer. my solr servers only listen to
> requests issued by a narrow list of systems, and everything gets routed
> through a modified copy of the proxy.php file, which checks whether the
> user is logged in, and adds terms to the query to limit returned results to
> those the user is permitted to see.
>
>
> -----Original Message-----
> From: Jan Høydahl [mailto:[hidden email]]
> Sent: Fri 5/11/2012 9:45 AM
> To: [hidden email]
> Subject: Re: SOLR Security
>
> Hi,
>
> There is nothing stopping you from pointing Ajax-SOLR to a URL on your
> app-server, which acts as a security insulation layer between the Solr
> backend and the world. In this (thin) layer you can analyze the input and
> choose carefully what to let through and not.
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.facebook.com/Cominvent
> Solr Training - www.solrtraining.com
>
> On 11. mai 2012, at 06:37, Anupam Bhattacharya wrote:
>
> > Yes, I agree with you.
> >
> > But Ajax-SOLR Framework doesn't fit in that manner. Any alternative
> > solution ?
> >
> > Anupam
> >
> > On Fri, May 11, 2012 at 9:41 AM, Klostermeyer, Michael <
> > [hidden email]> wrote:
> >
> >> Instead of hitting the Solr server directly from the client, I think I
> >> would go through your application server, which would have access to all
> >> the users data and can forward that to the Solr server, thereby hiding
> it
> >> from the client.
> >>
> >> Mike
> >>
> >>
> >> -----Original Message-----
> >> From: Anupam Bhattacharya [mailto:[hidden email]]
> >> Sent: Thursday, May 10, 2012 9:53 PM
> >> To: [hidden email]
> >> Subject: SOLR Security
> >>
> >> I am using Ajax-Solr Framework for creating a search interface. The
> search
> >> interface works well.
> >> In my case, the results have document level security so by even indexing
> >> records with there authorized users help me to filter results per user
> >> based on the authentication of the user.
> >>
> >> The problem that I have to a pass always a parameter to the SOLR Server
> >> with userid={xyz} which one can figure out from the SOLR URL(ajax call
> url)
> >> using Firebug tool in the Net Console on Firefox and can change this
> >> parameter value to see others records which he/she is not authorized.
> >> Basically it is Cross Site Scripting Issue.
> >>
> >> I have read about some approaches for Solr Security like Nginx with
> Jetty
> >> & .htaccess based security.Overall what i understand from this is that
> we
> >> can restrict users to do update/delete operations on SOLR as well as we
> can
> >> restrict the SOLR admin interface to certain IPs also. But How can I
> >> restrict the {solr-server}/solr/select based results from access by
> >> different user id's ?
> >>
>
>
>
>