Secure page admin Solr - solr

Installed Solr5.3.0 on Windows and imported data. Can somebody guide me how to secure mydomain/ip:8983/solr from public.
I want to secure all page of solr except the query & select. I want keep them publically.
http://localhost:8983/solr/core/query?
http://localhost:8983/solr/core/select?
This my config example/etc/webdefault.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>core1-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>

Related

AppEngine Multiple User Credentials in Development Server

When auth-constraint is specified in AppEngine Development server web.xml file. The User injected to endpoint and User received from UserService.getCurrentUser() in HttpServlet are different.
The user Id for endpoint user is zero and for HttpServlet it is a fixed number. When the auth-constraint tag is removed from web.xml file, both user ids are zero. But this tag is required for production server.
How to get a single user for development server?
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Disabling http methods in web.xml of application

I am trying to disable http methods like PUT, DELETE, TRACE, OPTIONS and PROPFIND. I have made the few changes in my web.xml file of my application but the methods are still enabled. Following is the code snippet:
<security-constraint>
<display-name>Restrict raw XHTML Documents</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>

How to bypass security constraints for specific IP addresses

My web application has security configuration in web.xml. It runs on Wildfly and uses ActiveDirectory for sign-on.
I want some ipaddress to bypass this security constraints. Is it possible?
For instance any request from 100.35.6.124 and 100.35.6.122 will bypass the login.
<security-constraint>
<web-resource-collection>
<web-resource-name>Unauthenticated Resources</web-resource-name>
<url-pattern>/version</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>All Resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ActiveDirectoryRealm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>

Securing Solr on Tomcat7

I try to secure my Solr instance but i cant getting it to work. I do everything in the way i saw it in many many tutorials but it seems like solr is ignoring my web.xml.
My Steps:
1: Editing tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
<role rolename="solr-role"/>
<user username="test" password="test" roles="solr-role"/>
</tomcat-users>
2: Editing web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr Lockdown</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>solr-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Solr</realm-name>
</login-config>
3: Restart tomcat7
After that i try to access http://xxx.xxx.xxx.xxx:8080/solr/ and i get access without any password prompt.
What is my fault?
Thank you very much!
Adding the following lines to web.xml secures the admin pages of solr (at least for solr 4.2.1, but that should also work for 4.5.1)
<security-constraint>
<!-- This protects your admin interface and grants access to role admin -->
<web-resource-collection>
<web-resource-name>Solr admin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<url-pattern>/admin.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>solr</role-name>
</auth-constraint>
<security-role>
<role-name>solr</role-name>
</security-role>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SOLR Realm</realm-name>
</login-config>
I dont know why but i used the wrong web.xml.
I uses the file stored under /var/lib/tomcat7/webapps/solr/WEB_INF/web.xml but i have to use the file under /etc/tomcat7/web.xml.

Require user login in GWT with web.xml

I develop an application with GAE and GWT where the user has to be logged in with his Google Account when he access the site. So I defined the following in the web.xml file...
<security-constraint>
<web-resource-collection>
<url-pattern>/index.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
When I'm running the local dev server I get promted with the test login-screen when I open the app the first time, but when I deploy it, I directly come to my application without any authentication.
First I thought, that could be, because I'm already logged in to other Google services, but I tried it in other browsers and in incognito mode too.
I would suggest trying one is to use the URL pattern to * so that all your resources are secure and secondly addind web-resource-name tag to "all" value, as shown in code snippet below.
And I am assuming you already have servlet mapping to service etc
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

Resources