Securing Solr Server With Jetty

We just covered the configuration changes of moving to Solr 5 from Solr 4 after upgrading NixMash Spring to Spring Boot 1.4. One of the configuration issues we didn't talk about in that post was securing our Solr Server, now with Jetty instead of Tomcat which we used in the past.

Regardless of the Web Server we still want to see this when we hit our Solr 5 Administration Dashboard.

Before showing how we'll do that, here are two references which you should bookmark. First the Gold Standard for securing Solr with Jetty, Jim Strassburg's Solr Jetty Authorization Gist. The second reference is this StackOverflow question which mentions the important point that we only want to secure Solr Administration and not our Solr client HTTP requests and queries.

Below are the three files in /solr-5.5.2/server/etc we'll be either creating or updating. Hint: we'll be creating realm.properties.

Add the Jetty Security Realm in Jetty.xml

We begin by adding a Security Realm to our /etc/jetty.xml file, providing its name “MySolrRealm” and location of its realm.properties file for the jetty.home directory.

Create a Realm.properties File

With Tomcat we store our user security information in a Tomcat users.xml file. With Apache we use .htaccess in the web root and an accompanying .htpassword file in our user home directory. In Jetty we create a realm.properties file. The Jetty security logic is closer to the Apache model than to Tomcat, with realm.properties much like our Apache .htpassword file.

In the following example the username is “myusername”, the password is the decrypted MD5 hashed string, and the role is “adminrole.”

Notice the instructions above (taken from Jim Strassburg's Gist) on how to create a hashed password. This is what that looks like at the command line for user “myuser” and password “mypassword.”

Apply the Security to the Web Site

Jetty's website config file is webdefault.xml, in our scenario located in /solr-5.5.2/server/etc. Our additions are located below. Notice there are NO restrictions placed on the root, which means all of our client Solr requests and queries will execute unimpeded. Our restriction is on the Solr /admin/* pattern only.

Source Code Notes for this Post

All source code discussed in this post can be found in my NixMash Spring GitHub repo and viewed online here.

Posted September 10, 2016 05:29 PM EDT

More Like This Post