I try to secure my Solr instance but i cant getting it to work. I do everything in the way i saw it in many many tutorials but it seems like solr is ignoring my web.xml.
My Steps:
1: Editing tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
<role rolename="solr-role"/>
<user username="test" password="test" roles="solr-role"/>
</tomcat-users>
2: Editing web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr Lockdown</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>solr-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Solr</realm-name>
</login-config>
3: Restart tomcat7
After that i try to access http://xxx.xxx.xxx.xxx:8080/solr/ and i get access without any password prompt.
What is my fault?
Thank you very much!
Adding the following lines to web.xml secures the admin pages of solr (at least for solr 4.2.1, but that should also work for 4.5.1)
<security-constraint>
<!-- This protects your admin interface and grants access to role admin -->
<web-resource-collection>
<web-resource-name>Solr admin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<url-pattern>/admin.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>solr</role-name>
</auth-constraint>
<security-role>
<role-name>solr</role-name>
</security-role>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SOLR Realm</realm-name>
</login-config>
I dont know why but i used the wrong web.xml.
I uses the file stored under /var/lib/tomcat7/webapps/solr/WEB_INF/web.xml but i have to use the file under /etc/tomcat7/web.xml.
Related
Installed Solr5.3.0 on Windows and imported data. Can somebody guide me how to secure mydomain/ip:8983/solr from public.
I want to secure all page of solr except the query & select. I want keep them publically.
http://localhost:8983/solr/core/query?
http://localhost:8983/solr/core/select?
This my config example/etc/webdefault.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>core1-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
I am trying to disable http methods like PUT, DELETE, TRACE, OPTIONS and PROPFIND. I have made the few changes in my web.xml file of my application but the methods are still enabled. Following is the code snippet:
<security-constraint>
<display-name>Restrict raw XHTML Documents</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
My web application has security configuration in web.xml. It runs on Wildfly and uses ActiveDirectory for sign-on.
I want some ipaddress to bypass this security constraints. Is it possible?
For instance any request from 100.35.6.124 and 100.35.6.122 will bypass the login.
<security-constraint>
<web-resource-collection>
<web-resource-name>Unauthenticated Resources</web-resource-name>
<url-pattern>/version</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>All Resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ActiveDirectoryRealm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
I develop an application with GAE and GWT where the user has to be logged in with his Google Account when he access the site. So I defined the following in the web.xml file...
<security-constraint>
<web-resource-collection>
<url-pattern>/index.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
When I'm running the local dev server I get promted with the test login-screen when I open the app the first time, but when I deploy it, I directly come to my application without any authentication.
First I thought, that could be, because I'm already logged in to other Google services, but I tried it in other browsers and in incognito mode too.
I would suggest trying one is to use the URL pattern to * so that all your resources are secure and secondly addind web-resource-name tag to "all" value, as shown in code snippet below.
And I am assuming you already have servlet mapping to service etc
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
I am on a google app engine project now. In my application I have to allow only https protocol. And I have to restrict other protocols. It should allow https only. I have added the below code in web.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
But after deploying it works on both the protocols(http and https). How to restrict http?
It is possible to configure the individual handlers to require HTTPS in the app.yaml file in the WEB-INF folder as described here: Java Application Configuration Using app.yaml - Google App Engine.
You just have to add these two words to your app.yaml file under the appropriate url entry:
secure: always
For example:
- url: .*
script: main.app
secure: always
Then if a user tries to access the URL with HTTP she will be automatically redirected to HTTPS. Pretty cool.
If you want to stick with "web.xml" rather than using the "app.yaml" option (which will overwrite your web.xml & appengine-web.xml files at deploy time), you can add in:
<security-constraint>
<web-resource-collection>
<web-resource-name>everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Reference:
https://cloud.google.com/appengine/docs/java/config/webxml#Security_and_Authentication
Are you using your own domain? At present, GAE supports SSL for *.appspot.com domains only. They have been promising SSL support for non-appspot domains for some time now and we're all waiting for news on that front.
This is for future folks !!!
In java adding the code below in my web.xml file worked for me
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPS redirect</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
For other project add secure: always under all urls in app.yaml file
Add this to your web.xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>