Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Locking down SOLR on ColdFusion 9

Tags:

security

coldfusion

solr

coldfusion-9

This might belong on serverfault, so please move if it does.

We just discovered that you can get to a list of SOLR indexes by going to: http://example.com:8983/solr/ this then allows you access to the SOLR admin for each index. This strikes us as... a bad thing. Luckily though, this is locked down to only be accessbile from a certain IP (our office IP via the firewall), but still means the janitor can get access to our SOLR collections. not ideal.

One way to circumvent it has been to remove the admin folder, however this still allows people access to http://example.com:8983/solr/ which isn't ideal.

I've read through the SOLR documentation on security, but can't seem to fully lock down access to /solr/*. It might be very well a case of looking at the wrong part of the documentation.

Using the code from the documentation:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Solr authenticated application</web-resource-name>
    <url-pattern>/core1/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>core1-role</role-name>
  </auth-constraint>
</security-constraint>

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Test Realm</realm-name>
</login-config>

and replacing <url-pattern>/core1/*</url-pattern> with an actual solr collection name does mean that when visiting http://example.com:8983/solr/collection_name/ it will ask me for a login and password, however, when just trying to lock down /solr/* or even * I get no such luck.

I'm using the built in solr that came with CF9

like image 332
Jarede Avatar asked Nov 10 '22 11:11

Jarede

1 Answers

Is this a remote Solr server or is it on the same server as CF9, if on the same server as CF9 then you can just tell Solr to listen on 127.0.0.1. There was a patch for this for CF 9.0.0 back in 2010: http://www.adobe.com/support/security/bulletins/apsb10-04.html

If it is a remote solr server, then you can use your network firewall, or a local firewall (windows firewall or iptables) to limit access to this port (and possibly this server) to only the CF server.

like image 175
Pete Freitag Avatar answered Nov 15 '22 09:11

Pete Freitag
Sign in to Comment

Related questions

Lightweight web authentication for embedded system
How to combine a persistent login cookie with parallel AJAX requests?
is this a good filter for uploaded files?
Script Kiddie attempts triggering Rails URI::InvalidURIError - how to filter?
Verify digital signature with public key in iOS
How to secure secret string in Android app?
javaws system property to relax or remove security?
OWASP ESAPI encodeForHTML with some allowed formatting tags
Encryption in iOS in application level
Using JWT instead of Cookie on SSL enabled site
Hide form tabs for specific user groups
An Authentication object was not found in the SecurityContext in a REST Server
Website security testing shows Response.Redirect as being vulnerable to an attack
Shouldn't OAuth2 redirect the user to the external browser instead of just loading the login screen into WebView
Is it safe to use my Flickr API key in client-side JavaScript?
Fortify Path Manipulation error
General/Phalcon - ACL and Database Storage
Windows Azure application - Hack attempt?
Can security for this username/password generator script be improved? [closed]
Is jQuery's $.get() safe to call on an untrusted URL?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!