You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by "Sharp, Jonathan" <JS...@coh.org> on 2010/07/16 03:35:25 UTC
Securing Solr 1.4 in a glassfish container AS NEW THREAD
Hi All,
I am considering securing Solr with basic auth in glassfish using the
container, by adding to web.xml and adding sun-web.xml file to the
distributed WAR as below.
If using SolrJ to index files, how can I provide the credentials for
authentication to the http-client (or can someone point me in the
direction of the right documentation to do that or that will help me
make the appropriate modifications) ?
Also any comment on the below is appreciated.
Add this to web.xml
-----------------------------------------------
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SomeRealm</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Pages</web-resource-name>
<url-pattern>/admin</url-pattern>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method><http-method>POST</http-
method><http-method>PUT</http-method><http-method>TRACE</http-
method<http-method>HEAD</http-method><http-method>OPTIONS</http-
method><http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SomeAdminRole</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Update Servlet</web-resource-name>
<url-pattern>/update/*</url-pattern>
<http-method>GET</http-method><http-method>POST</http-
method><http-method>PUT</http-method><http-method>TRACE</http-
method<http-method>HEAD</http-method><http-method>OPTIONS</http-
method><http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SomeUpdateRole</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Select Servlet</web-resource-name>
<url-pattern>/select/*</url-pattern>
<http-method>GET</http-method><http-method>POST</http-
method><http-method>PUT</http-method><http-method>TRACE</http-
method<http-method>HEAD</http-method><http-method>OPTIONS</http-
method><http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SomeSearchRole</role-name>
</auth-constraint>
</security-constraint>
-----------------------------------------------
Also add this as sun-web.xml
------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD
Application Server 9.0 Servlet 2.5//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd
">
<sun-web-app error-url="">
<context-root>/Solr</context-root>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java
code.</description>
</property>
</jsp-config>
<security-role-mapping>
<role-name>SomeAdminRole</role-name>
<group-name>SomeAdminGroup</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>SomeUpdateRole</role-name>
<group-name>SomeUpdateGroup</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>SomeSearchRole</role-name>
<group-name>SomeSearchGroup</group-name>
</security-role-mapping>
</sun-web-app>
--------------------------------------------------
-Jon
---------------------------------------------------------------------
SECURITY/CONFIDENTIALITY WARNING:
This message and any attachments are intended solely for the individual or entity to which they are addressed. This communication may contain information that is privileged, confidential, or exempt from disclosure under applicable law (e.g., personal health information, research data, financial information). Because this e-mail has been sent without encryption, individuals other than the intended recipient may be able to view the information, forward it to others or tamper with the information without the knowledge or consent of the sender. If you are not the intended recipient, or the employee or person responsible for delivering the message to the intended recipient, any dissemination, distribution or copying of the communication is strictly prohibited. If you received the communication in error, please notify the sender immediately by replying to this message and deleting the message and any accompanying files from your system. If, due to the security risks, you do not wis
h to
receive further communications via e-mail, please reply to this message and inform the sender that you do not wish to receive further e-mail from the sender.
---------------------------------------------------------------------
RE: Securing Solr 1.4 in a glassfish container AS NEW THREAD
Posted by "Sharp, Jonathan" <JS...@coh.org>.
Hi Bilgin,
Thanks for the snippet -- that helps a lot.
-Jon
-----Original Message-----
From: Bilgin Ibryam [mailto:bibryam@gmail.com]
Sent: Friday, July 16, 2010 1:31 AM
To: solr-user@lucene.apache.org
Subject: Re: Securing Solr 1.4 in a glassfish container AS NEW THREAD
Hi Jon,
SolrJ (CommonsHttpSolrServer) internally uses apache http client to
connect
to solr. You can check there for some documentation.
I secured solr also with BASIC auth-method and use the following snippet
to
access it from solrJ:
//set username and password
((CommonsHttpSolrServer)
server).getHttpClient().getParams().setAuthenticationPreemptive(true);
Credentials defaultcreds = new
UsernamePasswordCredentials("username",
"secret");
((CommonsHttpSolrServer)
server).getHttpClient().getState().setCredentials(new
AuthScope("localhost",
80, AuthScope.ANY_REALM), defaultcreds);
HTH
Bilgin Ibryam
On Fri, Jul 16, 2010 at 2:35 AM, Sharp, Jonathan <JS...@coh.org> wrote:
> Hi All,
>
> I am considering securing Solr with basic auth in glassfish using the
> container, by adding to web.xml and adding sun-web.xml file to the
> distributed WAR as below.
>
> If using SolrJ to index files, how can I provide the credentials for
> authentication to the http-client (or can someone point me in the
direction
> of the right documentation to do that or that will help me make the
> appropriate modifications) ?
>
> Also any comment on the below is appreciated.
>
> Add this to web.xml
> -----------------------------------------------
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>SomeRealm</realm-name>
> </login-config>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Pages</web-resource-name>
> <url-pattern>/admin</url-pattern>
> <url-pattern>/admin/*</url-pattern>
>
>
<http-method>GET</http-method><http-method>POST</http-method><http-metho
d>PUT</http-method><http-method>TRACE</http-method<http-method>HEAD</htt
p-method><http-method>OPTIONS</http-method><http-method>DELETE</http-met
hod>
> </web-resource-collection>
> <auth-constraint>
> <role-name>SomeAdminRole</role-name>
> </auth-constraint>
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Update Servlet</web-resource-name>
> <url-pattern>/update/*</url-pattern>
>
>
<http-method>GET</http-method><http-method>POST</http-method><http-metho
d>PUT</http-method><http-method>TRACE</http-method<http-method>HEAD</htt
p-method><http-method>OPTIONS</http-method><http-method>DELETE</http-met
hod>
> </web-resource-collection>
> <auth-constraint>
> <role-name>SomeUpdateRole</role-name>
> </auth-constraint>
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Select Servlet</web-resource-name>
> <url-pattern>/select/*</url-pattern>
>
>
<http-method>GET</http-method><http-method>POST</http-method><http-metho
d>PUT</http-method><http-method>TRACE</http-method<http-method>HEAD</htt
p-method><http-method>OPTIONS</http-method><http-method>DELETE</http-met
hod>
> </web-resource-collection>
> <auth-constraint>
> <role-name>SomeSearchRole</role-name>
> </auth-constraint>
> </security-constraint>
> -----------------------------------------------
>
> Also add this as sun-web.xml
>
> ------------------------------------------------
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD
Application
> Server 9.0 Servlet 2.5//EN" "
> http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
> <sun-web-app error-url="">
> <context-root>/Solr</context-root>
> <jsp-config>
> <property name="keepgenerated" value="true">
> <description>Keep a copy of the generated servlet class' java
> code.</description>
> </property>
> </jsp-config>
> <security-role-mapping>
> <role-name>SomeAdminRole</role-name>
> <group-name>SomeAdminGroup</group-name>
> </security-role-mapping>
> <security-role-mapping>
> <role-name>SomeUpdateRole</role-name>
> <group-name>SomeUpdateGroup</group-name>
> </security-role-mapping>
> <security-role-mapping>
> <role-name>SomeSearchRole</role-name>
> <group-name>SomeSearchGroup</group-name>
> </security-role-mapping>
> </sun-web-app>
> --------------------------------------------------
>
> -Jon
>
>
> ---------------------------------------------------------------------
> SECURITY/CONFIDENTIALITY WARNING: This message and any attachments are
> intended solely for the individual or entity to which they are
addressed.
> This communication may contain information that is privileged,
confidential,
> or exempt from disclosure under applicable law (e.g., personal health
> information, research data, financial information). Because this
e-mail has
> been sent without encryption, individuals other than the intended
recipient
> may be able to view the information, forward it to others or tamper
with the
> information without the knowledge or consent of the sender. If you are
not
> the intended recipient, or the employee or person responsible for
delivering
> the message to the intended recipient, any dissemination, distribution
or
> copying of the communication is strictly prohibited. If you received
the
> communication in error, please notify the sender immediately by
replying to
> this message and deleting the message and any accompanying files from
your
> system. If, due to the security risks, you do not wis
> h to
> receive further communications via e-mail, please reply to this
message and
> inform the sender that you do not wish to receive further e-mail from
the
> sender.
> ---------------------------------------------------------------------
>
>
Re: Securing Solr 1.4 in a glassfish container AS NEW THREAD
Posted by "Sharp, Jonathan" <JS...@coh.org>.
> Are you using the same instance of CommonsHttpSolrServer for all the
> requests?
I was.
I also tried creating a new instance every x requests, also resetting
the credentials on the new instances, to see if it would make a
difference.
Doing that, I get an exception after several instances of the
httpserver (again several hundred PDFs) to the effect that the socket
is still in use... Perhaps I am not releasing the resources properly...?
-Jon
On Jul 22, 2010, at 3:02 AM, "Bilgin Ibryam" <bi...@gmail.com> wrote:
> Are you using the same instance of CommonsHttpSolrServer for all the
> requests?
>
> On Wed, Jul 21, 2010 at 4:50 PM, Sharp, Jonathan <JS...@coh.org>
> wrote:
>
>>
>> Some further information --
>>
>> I tried indexing a batch of PDFs with the client and Solr CELL,
>> setting
>> the credentials in the httpclient. For some reason after successfully
>> indexing several hundred files I start getting a "SolrException:
>> Unauthorized" and an info message (for every subsequent file):
>>
>> INFO basic authentication scheme selected
>> Org.apache.commons.httpclient.HttpMethodDirector process
>> WWWAuthChallenge
>> INFO Failure authenticating with BASIC '<realm>'@host:port
>>
>> I increased session timeout in web.xml with no change. I'm looking
>> through the httpclient authentication now.
>>
>> -Jon
>>
>> -----Original Message-----
>> From: Sharp, Jonathan
>> Sent: Friday, July 16, 2010 8:59 AM
>> To: 'solr-user@lucene.apache.org'
>> Subject: RE: Securing Solr 1.4 in a glassfish container AS NEW THREAD
>>
>> Hi Bilgin,
>>
>> Thanks for the snippet -- that helps a lot.
>>
>> -Jon
>>
>> -----Original Message-----
>> From: Bilgin Ibryam [mailto:bibryam@gmail.com]
>> Sent: Friday, July 16, 2010 1:31 AM
>> To: solr-user@lucene.apache.org
>> Subject: Re: Securing Solr 1.4 in a glassfish container AS NEW THREAD
>>
>> Hi Jon,
>>
>> SolrJ (CommonsHttpSolrServer) internally uses apache http client to
>> connect
>> to solr. You can check there for some documentation.
>> I secured solr also with BASIC auth-method and use the following
>> snippet
>> to
>> access it from solrJ:
>>
>> //set username and password
>> ((CommonsHttpSolrServer)
>> server).getHttpClient().getParams().setAuthenticationPreemptive
>> (true);
>> Credentials defaultcreds = new
>> UsernamePasswordCredentials("username",
>> "secret");
>> ((CommonsHttpSolrServer)
>> server).getHttpClient().getState().setCredentials(new
>> AuthScope("localhost",
>> 80, AuthScope.ANY_REALM), defaultcreds);
>>
>> HTH
>> Bilgin Ibryam
>>
>>
>>
>> On Fri, Jul 16, 2010 at 2:35 AM, Sharp, Jonathan <JS...@coh.org>
>> wrote:
>>
>>> Hi All,
>>>
>>> I am considering securing Solr with basic auth in glassfish using
>>> the
>>> container, by adding to web.xml and adding sun-web.xml file to the
>>> distributed WAR as below.
>>>
>>> If using SolrJ to index files, how can I provide the credentials for
>>> authentication to the http-client (or can someone point me in the
>> direction
>>> of the right documentation to do that or that will help me make the
>>> appropriate modifications) ?
>>>
>>> Also any comment on the below is appreciated.
>>>
>>> Add this to web.xml
>>> -----------------------------------------------
>>> <login-config>
>>> <auth-method>BASIC</auth-method>
>>> <realm-name>SomeRealm</realm-name>
>>> </login-config>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Admin Pages</web-resource-name>
>>> <url-pattern>/admin</url-pattern>
>>> <url-pattern>/admin/*</url-pattern>
>>>
>>>
>> <http-method>GET</http-method><http-method>POST</http-method><http-
>> metho
>> d>PUT</http-method><http-method>TRACE</http-method<http-
>> method>HEAD</htt
>> p-method><http-method>OPTIONS</http-method><http-method>DELETE</
>> http-met
>> hod>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>SomeAdminRole</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Update Servlet</web-resource-name>
>>> <url-pattern>/update/*</url-pattern>
>>>
>>>
>> <http-method>GET</http-method><http-method>POST</http-method><http-
>> metho
>> d>PUT</http-method><http-method>TRACE</http-method<http-
>> method>HEAD</htt
>> p-method><http-method>OPTIONS</http-method><http-method>DELETE</
>> http-met
>> hod>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>SomeUpdateRole</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Select Servlet</web-resource-name>
>>> <url-pattern>/select/*</url-pattern>
>>>
>>>
>> <http-method>GET</http-method><http-method>POST</http-method><http-
>> metho
>> d>PUT</http-method><http-method>TRACE</http-method<http-
>> method>HEAD</htt
>> p-method><http-method>OPTIONS</http-method><http-method>DELETE</
>> http-met
>> hod>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>SomeSearchRole</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>> -----------------------------------------------
>>>
>>> Also add this as sun-web.xml
>>>
>>> ------------------------------------------------
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD
>> Application
>>> Server 9.0 Servlet 2.5//EN" "
>>> http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
>>> <sun-web-app error-url="">
>>> <context-root>/Solr</context-root>
>>> <jsp-config>
>>> <property name="keepgenerated" value="true">
>>> <description>Keep a copy of the generated servlet class' java
>>> code.</description>
>>> </property>
>>> </jsp-config>
>>> <security-role-mapping>
>>> <role-name>SomeAdminRole</role-name>
>>> <group-name>SomeAdminGroup</group-name>
>>> </security-role-mapping>
>>> <security-role-mapping>
>>> <role-name>SomeUpdateRole</role-name>
>>> <group-name>SomeUpdateGroup</group-name>
>>> </security-role-mapping>
>>> <security-role-mapping>
>>> <role-name>SomeSearchRole</role-name>
>>> <group-name>SomeSearchGroup</group-name>
>>> </security-role-mapping>
>>> </sun-web-app>
>>> --------------------------------------------------
>>>
>>> -Jon
>>>
>>>
>>> ---
>>> ------------------------------------------------------------------
>>> SECURITY/CONFIDENTIALITY WARNING: This message and any attachments
>>> are
>>> intended solely for the individual or entity to which they are
>> addressed.
>>> This communication may contain information that is privileged,
>> confidential,
>>> or exempt from disclosure under applicable law (e.g., personal
>>> health
>>> information, research data, financial information). Because this
>> e-mail has
>>> been sent without encryption, individuals other than the intended
>> recipient
>>> may be able to view the information, forward it to others or tamper
>> with the
>>> information without the knowledge or consent of the sender. If you
>>> are
>> not
>>> the intended recipient, or the employee or person responsible for
>> delivering
>>> the message to the intended recipient, any dissemination,
>>> distribution
>> or
>>> copying of the communication is strictly prohibited. If you received
>> the
>>> communication in error, please notify the sender immediately by
>> replying to
>>> this message and deleting the message and any accompanying files
>>> from
>> your
>>> system. If, due to the security risks, you do not wis
>>> h to
>>> receive further communications via e-mail, please reply to this
>> message and
>>> inform the sender that you do not wish to receive further e-mail
>>> from
>> the
>>> sender.
>>> ---
>>> ------------------------------------------------------------------
>>>
>>>
>>
Re: Securing Solr 1.4 in a glassfish container AS NEW THREAD
Posted by Bilgin Ibryam <bi...@gmail.com>.
Are you using the same instance of CommonsHttpSolrServer for all the
requests?
On Wed, Jul 21, 2010 at 4:50 PM, Sharp, Jonathan <JS...@coh.org> wrote:
>
> Some further information --
>
> I tried indexing a batch of PDFs with the client and Solr CELL, setting
> the credentials in the httpclient. For some reason after successfully
> indexing several hundred files I start getting a "SolrException:
> Unauthorized" and an info message (for every subsequent file):
>
> INFO basic authentication scheme selected
> Org.apache.commons.httpclient.HttpMethodDirector process
> WWWAuthChallenge
> INFO Failure authenticating with BASIC '<realm>'@host:port
>
> I increased session timeout in web.xml with no change. I'm looking
> through the httpclient authentication now.
>
> -Jon
>
> -----Original Message-----
> From: Sharp, Jonathan
> Sent: Friday, July 16, 2010 8:59 AM
> To: 'solr-user@lucene.apache.org'
> Subject: RE: Securing Solr 1.4 in a glassfish container AS NEW THREAD
>
> Hi Bilgin,
>
> Thanks for the snippet -- that helps a lot.
>
> -Jon
>
> -----Original Message-----
> From: Bilgin Ibryam [mailto:bibryam@gmail.com]
> Sent: Friday, July 16, 2010 1:31 AM
> To: solr-user@lucene.apache.org
> Subject: Re: Securing Solr 1.4 in a glassfish container AS NEW THREAD
>
> Hi Jon,
>
> SolrJ (CommonsHttpSolrServer) internally uses apache http client to
> connect
> to solr. You can check there for some documentation.
> I secured solr also with BASIC auth-method and use the following snippet
> to
> access it from solrJ:
>
> //set username and password
> ((CommonsHttpSolrServer)
> server).getHttpClient().getParams().setAuthenticationPreemptive(true);
> Credentials defaultcreds = new
> UsernamePasswordCredentials("username",
> "secret");
> ((CommonsHttpSolrServer)
> server).getHttpClient().getState().setCredentials(new
> AuthScope("localhost",
> 80, AuthScope.ANY_REALM), defaultcreds);
>
> HTH
> Bilgin Ibryam
>
>
>
> On Fri, Jul 16, 2010 at 2:35 AM, Sharp, Jonathan <JS...@coh.org> wrote:
>
> > Hi All,
> >
> > I am considering securing Solr with basic auth in glassfish using the
> > container, by adding to web.xml and adding sun-web.xml file to the
> > distributed WAR as below.
> >
> > If using SolrJ to index files, how can I provide the credentials for
> > authentication to the http-client (or can someone point me in the
> direction
> > of the right documentation to do that or that will help me make the
> > appropriate modifications) ?
> >
> > Also any comment on the below is appreciated.
> >
> > Add this to web.xml
> > -----------------------------------------------
> > <login-config>
> > <auth-method>BASIC</auth-method>
> > <realm-name>SomeRealm</realm-name>
> > </login-config>
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Admin Pages</web-resource-name>
> > <url-pattern>/admin</url-pattern>
> > <url-pattern>/admin/*</url-pattern>
> >
> >
> <http-method>GET</http-method><http-method>POST</http-method><http-metho
> d>PUT</http-method><http-method>TRACE</http-method<http-method>HEAD</htt
> p-method><http-method>OPTIONS</http-method><http-method>DELETE</http-met
> hod>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>SomeAdminRole</role-name>
> > </auth-constraint>
> > </security-constraint>
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Update Servlet</web-resource-name>
> > <url-pattern>/update/*</url-pattern>
> >
> >
> <http-method>GET</http-method><http-method>POST</http-method><http-metho
> d>PUT</http-method><http-method>TRACE</http-method<http-method>HEAD</htt
> p-method><http-method>OPTIONS</http-method><http-method>DELETE</http-met
> hod>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>SomeUpdateRole</role-name>
> > </auth-constraint>
> > </security-constraint>
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Select Servlet</web-resource-name>
> > <url-pattern>/select/*</url-pattern>
> >
> >
> <http-method>GET</http-method><http-method>POST</http-method><http-metho
> d>PUT</http-method><http-method>TRACE</http-method<http-method>HEAD</htt
> p-method><http-method>OPTIONS</http-method><http-method>DELETE</http-met
> hod>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>SomeSearchRole</role-name>
> > </auth-constraint>
> > </security-constraint>
> > -----------------------------------------------
> >
> > Also add this as sun-web.xml
> >
> > ------------------------------------------------
> > <?xml version="1.0" encoding="UTF-8"?>
> > <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD
> Application
> > Server 9.0 Servlet 2.5//EN" "
> > http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
> > <sun-web-app error-url="">
> > <context-root>/Solr</context-root>
> > <jsp-config>
> > <property name="keepgenerated" value="true">
> > <description>Keep a copy of the generated servlet class' java
> > code.</description>
> > </property>
> > </jsp-config>
> > <security-role-mapping>
> > <role-name>SomeAdminRole</role-name>
> > <group-name>SomeAdminGroup</group-name>
> > </security-role-mapping>
> > <security-role-mapping>
> > <role-name>SomeUpdateRole</role-name>
> > <group-name>SomeUpdateGroup</group-name>
> > </security-role-mapping>
> > <security-role-mapping>
> > <role-name>SomeSearchRole</role-name>
> > <group-name>SomeSearchGroup</group-name>
> > </security-role-mapping>
> > </sun-web-app>
> > --------------------------------------------------
> >
> > -Jon
> >
> >
> > ---------------------------------------------------------------------
> > SECURITY/CONFIDENTIALITY WARNING: This message and any attachments are
> > intended solely for the individual or entity to which they are
> addressed.
> > This communication may contain information that is privileged,
> confidential,
> > or exempt from disclosure under applicable law (e.g., personal health
> > information, research data, financial information). Because this
> e-mail has
> > been sent without encryption, individuals other than the intended
> recipient
> > may be able to view the information, forward it to others or tamper
> with the
> > information without the knowledge or consent of the sender. If you are
> not
> > the intended recipient, or the employee or person responsible for
> delivering
> > the message to the intended recipient, any dissemination, distribution
> or
> > copying of the communication is strictly prohibited. If you received
> the
> > communication in error, please notify the sender immediately by
> replying to
> > this message and deleting the message and any accompanying files from
> your
> > system. If, due to the security risks, you do not wis
> > h to
> > receive further communications via e-mail, please reply to this
> message and
> > inform the sender that you do not wish to receive further e-mail from
> the
> > sender.
> > ---------------------------------------------------------------------
> >
> >
>
RE: Securing Solr 1.4 in a glassfish container AS NEW THREAD
Posted by "Sharp, Jonathan" <JS...@coh.org>.
Some further information --
I tried indexing a batch of PDFs with the client and Solr CELL, setting
the credentials in the httpclient. For some reason after successfully
indexing several hundred files I start getting a "SolrException:
Unauthorized" and an info message (for every subsequent file):
INFO basic authentication scheme selected
Org.apache.commons.httpclient.HttpMethodDirector process
WWWAuthChallenge
INFO Failure authenticating with BASIC '<realm>'@host:port
I increased session timeout in web.xml with no change. I'm looking
through the httpclient authentication now.
-Jon
-----Original Message-----
From: Sharp, Jonathan
Sent: Friday, July 16, 2010 8:59 AM
To: 'solr-user@lucene.apache.org'
Subject: RE: Securing Solr 1.4 in a glassfish container AS NEW THREAD
Hi Bilgin,
Thanks for the snippet -- that helps a lot.
-Jon
-----Original Message-----
From: Bilgin Ibryam [mailto:bibryam@gmail.com]
Sent: Friday, July 16, 2010 1:31 AM
To: solr-user@lucene.apache.org
Subject: Re: Securing Solr 1.4 in a glassfish container AS NEW THREAD
Hi Jon,
SolrJ (CommonsHttpSolrServer) internally uses apache http client to
connect
to solr. You can check there for some documentation.
I secured solr also with BASIC auth-method and use the following snippet
to
access it from solrJ:
//set username and password
((CommonsHttpSolrServer)
server).getHttpClient().getParams().setAuthenticationPreemptive(true);
Credentials defaultcreds = new
UsernamePasswordCredentials("username",
"secret");
((CommonsHttpSolrServer)
server).getHttpClient().getState().setCredentials(new
AuthScope("localhost",
80, AuthScope.ANY_REALM), defaultcreds);
HTH
Bilgin Ibryam
On Fri, Jul 16, 2010 at 2:35 AM, Sharp, Jonathan <JS...@coh.org> wrote:
> Hi All,
>
> I am considering securing Solr with basic auth in glassfish using the
> container, by adding to web.xml and adding sun-web.xml file to the
> distributed WAR as below.
>
> If using SolrJ to index files, how can I provide the credentials for
> authentication to the http-client (or can someone point me in the
direction
> of the right documentation to do that or that will help me make the
> appropriate modifications) ?
>
> Also any comment on the below is appreciated.
>
> Add this to web.xml
> -----------------------------------------------
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>SomeRealm</realm-name>
> </login-config>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Pages</web-resource-name>
> <url-pattern>/admin</url-pattern>
> <url-pattern>/admin/*</url-pattern>
>
>
<http-method>GET</http-method><http-method>POST</http-method><http-metho
d>PUT</http-method><http-method>TRACE</http-method<http-method>HEAD</htt
p-method><http-method>OPTIONS</http-method><http-method>DELETE</http-met
hod>
> </web-resource-collection>
> <auth-constraint>
> <role-name>SomeAdminRole</role-name>
> </auth-constraint>
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Update Servlet</web-resource-name>
> <url-pattern>/update/*</url-pattern>
>
>
<http-method>GET</http-method><http-method>POST</http-method><http-metho
d>PUT</http-method><http-method>TRACE</http-method<http-method>HEAD</htt
p-method><http-method>OPTIONS</http-method><http-method>DELETE</http-met
hod>
> </web-resource-collection>
> <auth-constraint>
> <role-name>SomeUpdateRole</role-name>
> </auth-constraint>
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Select Servlet</web-resource-name>
> <url-pattern>/select/*</url-pattern>
>
>
<http-method>GET</http-method><http-method>POST</http-method><http-metho
d>PUT</http-method><http-method>TRACE</http-method<http-method>HEAD</htt
p-method><http-method>OPTIONS</http-method><http-method>DELETE</http-met
hod>
> </web-resource-collection>
> <auth-constraint>
> <role-name>SomeSearchRole</role-name>
> </auth-constraint>
> </security-constraint>
> -----------------------------------------------
>
> Also add this as sun-web.xml
>
> ------------------------------------------------
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD
Application
> Server 9.0 Servlet 2.5//EN" "
> http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
> <sun-web-app error-url="">
> <context-root>/Solr</context-root>
> <jsp-config>
> <property name="keepgenerated" value="true">
> <description>Keep a copy of the generated servlet class' java
> code.</description>
> </property>
> </jsp-config>
> <security-role-mapping>
> <role-name>SomeAdminRole</role-name>
> <group-name>SomeAdminGroup</group-name>
> </security-role-mapping>
> <security-role-mapping>
> <role-name>SomeUpdateRole</role-name>
> <group-name>SomeUpdateGroup</group-name>
> </security-role-mapping>
> <security-role-mapping>
> <role-name>SomeSearchRole</role-name>
> <group-name>SomeSearchGroup</group-name>
> </security-role-mapping>
> </sun-web-app>
> --------------------------------------------------
>
> -Jon
>
>
> ---------------------------------------------------------------------
> SECURITY/CONFIDENTIALITY WARNING: This message and any attachments are
> intended solely for the individual or entity to which they are
addressed.
> This communication may contain information that is privileged,
confidential,
> or exempt from disclosure under applicable law (e.g., personal health
> information, research data, financial information). Because this
e-mail has
> been sent without encryption, individuals other than the intended
recipient
> may be able to view the information, forward it to others or tamper
with the
> information without the knowledge or consent of the sender. If you are
not
> the intended recipient, or the employee or person responsible for
delivering
> the message to the intended recipient, any dissemination, distribution
or
> copying of the communication is strictly prohibited. If you received
the
> communication in error, please notify the sender immediately by
replying to
> this message and deleting the message and any accompanying files from
your
> system. If, due to the security risks, you do not wis
> h to
> receive further communications via e-mail, please reply to this
message and
> inform the sender that you do not wish to receive further e-mail from
the
> sender.
> ---------------------------------------------------------------------
>
>
Re: Securing Solr 1.4 in a glassfish container AS NEW THREAD
Posted by Bilgin Ibryam <bi...@gmail.com>.
Hi Jon,
SolrJ (CommonsHttpSolrServer) internally uses apache http client to connect
to solr. You can check there for some documentation.
I secured solr also with BASIC auth-method and use the following snippet to
access it from solrJ:
//set username and password
((CommonsHttpSolrServer)
server).getHttpClient().getParams().setAuthenticationPreemptive(true);
Credentials defaultcreds = new UsernamePasswordCredentials("username",
"secret");
((CommonsHttpSolrServer)
server).getHttpClient().getState().setCredentials(new AuthScope("localhost",
80, AuthScope.ANY_REALM), defaultcreds);
HTH
Bilgin Ibryam
On Fri, Jul 16, 2010 at 2:35 AM, Sharp, Jonathan <JS...@coh.org> wrote:
> Hi All,
>
> I am considering securing Solr with basic auth in glassfish using the
> container, by adding to web.xml and adding sun-web.xml file to the
> distributed WAR as below.
>
> If using SolrJ to index files, how can I provide the credentials for
> authentication to the http-client (or can someone point me in the direction
> of the right documentation to do that or that will help me make the
> appropriate modifications) ?
>
> Also any comment on the below is appreciated.
>
> Add this to web.xml
> -----------------------------------------------
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>SomeRealm</realm-name>
> </login-config>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Pages</web-resource-name>
> <url-pattern>/admin</url-pattern>
> <url-pattern>/admin/*</url-pattern>
>
> <http-method>GET</http-method><http-method>POST</http-method><http-method>PUT</http-method><http-method>TRACE</http-method<http-method>HEAD</http-method><http-method>OPTIONS</http-method><http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>SomeAdminRole</role-name>
> </auth-constraint>
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Update Servlet</web-resource-name>
> <url-pattern>/update/*</url-pattern>
>
> <http-method>GET</http-method><http-method>POST</http-method><http-method>PUT</http-method><http-method>TRACE</http-method<http-method>HEAD</http-method><http-method>OPTIONS</http-method><http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>SomeUpdateRole</role-name>
> </auth-constraint>
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Select Servlet</web-resource-name>
> <url-pattern>/select/*</url-pattern>
>
> <http-method>GET</http-method><http-method>POST</http-method><http-method>PUT</http-method><http-method>TRACE</http-method<http-method>HEAD</http-method><http-method>OPTIONS</http-method><http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>SomeSearchRole</role-name>
> </auth-constraint>
> </security-constraint>
> -----------------------------------------------
>
> Also add this as sun-web.xml
>
> ------------------------------------------------
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application
> Server 9.0 Servlet 2.5//EN" "
> http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd">
> <sun-web-app error-url="">
> <context-root>/Solr</context-root>
> <jsp-config>
> <property name="keepgenerated" value="true">
> <description>Keep a copy of the generated servlet class' java
> code.</description>
> </property>
> </jsp-config>
> <security-role-mapping>
> <role-name>SomeAdminRole</role-name>
> <group-name>SomeAdminGroup</group-name>
> </security-role-mapping>
> <security-role-mapping>
> <role-name>SomeUpdateRole</role-name>
> <group-name>SomeUpdateGroup</group-name>
> </security-role-mapping>
> <security-role-mapping>
> <role-name>SomeSearchRole</role-name>
> <group-name>SomeSearchGroup</group-name>
> </security-role-mapping>
> </sun-web-app>
> --------------------------------------------------
>
> -Jon
>
>
> ---------------------------------------------------------------------
> SECURITY/CONFIDENTIALITY WARNING: This message and any attachments are
> intended solely for the individual or entity to which they are addressed.
> This communication may contain information that is privileged, confidential,
> or exempt from disclosure under applicable law (e.g., personal health
> information, research data, financial information). Because this e-mail has
> been sent without encryption, individuals other than the intended recipient
> may be able to view the information, forward it to others or tamper with the
> information without the knowledge or consent of the sender. If you are not
> the intended recipient, or the employee or person responsible for delivering
> the message to the intended recipient, any dissemination, distribution or
> copying of the communication is strictly prohibited. If you received the
> communication in error, please notify the sender immediately by replying to
> this message and deleting the message and any accompanying files from your
> system. If, due to the security risks, you do not wis
> h to
> receive further communications via e-mail, please reply to this message and
> inform the sender that you do not wish to receive further e-mail from the
> sender.
> ---------------------------------------------------------------------
>
>