tags:

views:

256

answers:

3
Q: 

How does one protect a webapp to be accessed only by localhost ?

I am planning to run a java web application and solr in the same java container. I want the web application to be publicly accessible but solr to be accessible only to the other web applications in the same container. Solr should be accessible only as localhost and not from outside. Can we write some rules in the web-xml to achieve this?

+2  A: 

This is actually a question for serverfault. Anyway, you can deal with this the same way you deal with any internal server, like a database server: don't give Solr a public IP, or put it behind a firewall.

Other than that, you could set up HTTP auth (Tomcat example) or set the container to only listen on localhost (that is, if your web app runs on the same box) (jetty example), but I recommend putting it behind a properly configured firewall instead.

Also see the SolrSecurity wiki page, but it deals mostly with Solr-level security.

Mauricio Scheffer  2010-02-02 12:31:04
Mauricio: Is it possible to allow only my PHP code to access Solr via IPTables? Do you know the rules for this in IPTables?
Camran  2010-05-30 09:26:36
Also, check this Q out: http://serverfault.com/questions/146568/solr-security-help The answer there applies to Resin, but I am using Jetty, will that matter? Thanks for all help
Camran  2010-05-30 09:32:35
+1  A: 

For Resin you can define security constraint by ip addresses. Below is sample from Resin 2.X I'm using it might be slightly different for Resin 3 or 4

<host id='solr.mydomain.com' app-dir='/dev/null'>
   <env-entry>
    <env-entry-name>solr/home</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value>/usr/local/java/solr-home</env-entry-value>
  </env-entry>
   <security-constraint>
     <web-resource-collection>
       <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <ip-constraint>127.0.0.1</ip-constraint>
     <ip-constraint>192.168.1.0/24</ip-constraint>
   </security-constraint>
   <war-dir>webapps/solr</war-dir>
   <access-log id='log/solr-access.log'
     format='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"'/>
   <error-log id='log/solr-error.log'/>
</host>
maximdim  2010-02-02 19:09:41
A: 

I found this link on the Solr wiki that details installation procedures and also ways of securing the application. http://wiki.apache.org/solr/SolrInstall

Ritesh M Nayak  2010-02-03 08:14:26

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security