Since the Solr management interface can be accessed without logging in by default after startup, this exposes the Solr core library and easily causes others to delete the index database data. Therefore, configure login permissions to access the Solr management interface. The steps are as follows
Create new security.json (recommended)
Create the security.json file and place it in $SOLR_HOME your installation directory (this is the same location as solr.xml, Usually under server/solr). The following configuration username and password are: solr:SolrRocks
{
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{
"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1 + z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="
},
"realm":"My Solr users",
"forwardCredentials": false
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{
"name":"security-edit",
"role":"admin"
}
],
"user-role":{
"solr":"admin"
}
}
}
Configuration file description
authentication : Basic authentication and rule-based authorization plugins are enabled.
blockUnknown: This parameter true means that unauthenticated requests are not allowed to pass.
Credentials: Defines a user named solr with a password. The password consists of a space between the password and the salt value (login will fail if there are too many spaces)
“realm”:”My Solr users” : We override this realm property to display another text on the login prompt
forwardCredentials : If this parameter is false, it means that we let Solr’s PKI authentication handle the distributed request instead of forwarding the Basic Auth header.
authorization authorization
permissions
“name”:”security-edit”
“role”:”admin” The role has been defined and has the rights to edit security settings.
user-role
“solr”:”admin” The user has been defined as admin role.
Modify user password in configuration file
import org.apache.commons.codec.binary.Base64;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Random;
public class SolrDemo {
public static void main(String[] args) {
// password
String password = "SolrRocks";
MessageDigest digest;
try {
digest = MessageDigest.getInstance("SHA-256");
final Random random = new SecureRandom();
byte[] salt = new byte[32];
random.nextBytes(salt);
digest.reset();
digest.update(salt);
byte[] btPass = digest.digest(password.getBytes(StandardCharsets.UTF_8));
digest.reset();
btPass = digest.digest(btPass);
System.out.println(Base64.encodeBase64String(btPass) + " " + Base64.encodeBase64String(salt));
} catch (NoSuchAlgorithmException e) {
System.err.println("Unknown algorithm: " + e.getMessage());
}
}
}
User additions, deletions and modifications (for reference only)
#Add or change password (if the username exists, change the password, otherwise create a user)
curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H 'Content-type:application/json' -d '{"set-user": {"tom ":"TomIsCool", "harry":"HarrysSecret"}}'
#delete users
curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H 'Content-type:application/json' -d '{"delete-user": ["tom ", "harry"]}'
#Set properties
curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H 'Content-type:application/json' -d '{"set-property": {"blockUnknown ":false}}'
Note: Try not to include special characters in the username and password, otherwise you will not be able to access when you use the address bar to pass the username and password.
jetty configuration verification
Add in etc
In the decompressed installation directory solr-8.11.1\server\etc, create a new verify.properties configuration file in this directory (the name is arbitrary), as shown in the figure
Open the file for editing. The content is as follows (the format is: Username: Password, Permissions)
#Username Password Permissions user:pass,admin #Multiple users can also be configured, as follows: user: pass,admin user1: pass,admin user3: pass,admin
solr-jetty-context.xml
Then find the file solr-jetty-context.xml in the directory: solr-8.11.1\server\contexts
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Set name="contextPath"><Property name="hostContext" default="/solr"/></Set>
<Set name="war"><Property name="jetty.base"/>/solr-webapp/webapp</Set>
<Set name="defaultsDescriptor"><Property name="jetty.base"/>/etc/webdefault.xml</Set>
<Set name="extractWAR">false</Set>
<!-- Add the following code -->
<Get name="securityHandler">
<Set name="loginService">
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">verify-name</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/verify.properties</Set>
</New>
</Set>
</Get>
</Configure>
web.xml
The path is: web.xml file under solr-8.11.1\server\solr-webapp\webapp\WEB-INF
Find the configuration of security-constraint in the file, the content is as follows
<!-- Get rid of error message -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Disable TRACE</web-resource-name>
<url-pattern>/</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Enable everything but TRACE</web-resource-name>
<url-pattern>/</url-pattern>
<http-method-omission>TRACE</http-method-omission>
</web-resource-collection>
</security-constraint>
Append the following code afterwards (deleting security-constraint will invalidate the login configuration). The specific configuration is as follows. Add the role adminauth-constraint node. code> and add login configuration
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>verify-name</realm-name>
</login-config>