保护Solr中的更新和删除查询 [英] Securing Update and Delete queries in Solr

问题描述

我有一个网站，该网站使用Solr显示产品信息，并且通过URL对其进行管理.我很好奇如何阻止普通用户通过URL更新或删除我的Apache Solr文档.我想要得到它，以便只有管理员才能提交这些查询.

I have a website that displays product information using Solr, and it is managed via the URL. I am curious as to how I would go about preventing regular users from updating or deleting my Apache Solr documents via the URL. I want to get it so only admins can submit these queries.

我会假设有一种方法可以让用户名和密码验证任意用户是管理员，从而​​允许URL请求修改数据.这很有用，但是问题是，如果有人在URL中输入查询，我甚至不希望网站UI中的用户有机会看到登录消息.

I would assume that there is a way to have a username and password verify that an arbitrary user is an admin, thus allowing for the URL request to modify data. This is useful, but the problem is that I don't want users from the website UI to even have the opportunity to see the log-in message in the event that someone enters a query into the URL.

有人知道类似的解决方案吗?

Does anyone know of a solution for this / done something similar?

推荐答案

1)一种解决方案是在不同的端口(例如8081)上运行SOLR，并使您的操作系统防火墙阻止对端口8081的请求，但不包括计算机的公用IP用来管理管理员，仅允许本地计算机访问8081.

1) One solution would be to run SOLR on a different port (say 8081) and have your OS firewall block requests to port 8081 excluding the public IP of machine that you will using to manage the admin, allowing just you local machine to access 8081.

这是我在CentOS计算机上的IPTABLES中使用的防火墙配置

This is the firewall configuration I'm using in IPTABLES on my CentOS machine

-A输入-p tcp --dport 8081 -s 111.222.333.444 -j接受

-A INPUT -p tcp --dport 8081 -s 111.222.333.444 -j ACCEPT

-A输入-p tcp -m tcp --dport 8081 -j DROP

-A INPUT -p tcp -m tcp --dport 8081 -j DROP

为了进一步保护管理员，我使用DIGEST身份验证方法在web.xml中添加了以下安全约束

And to secure the admin further I added the following security-constraint to web.xml with DIGEST auth-method

<security-constraint> 
    <web-resource-collection> 
        <web-resource-name>Admin</web-resource-name> 
        <url-pattern>/admin/*</url-pattern> 
        <url-pattern>/admin.html</url-pattern>
    </web-resource-collection>
    <auth-constraint> 
        <role-name>admin</role-name> 
    </auth-constraint>
</security-constraint> 

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Admin images</web-resource-name>
        <url-pattern>*.png</url-pattern>
    </web-resource-collection>
    <auth-contraint>
        <role-name>admin</role-name>
    </auth-contraint>
</security-constraint>

<login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>secure</realm-name>
</login-config>

---

2)另一个选择是只为两个不同的角色(即用户和管理员)添加上述安全约束.具有用户角色的用户将只能访问选择的url模式，具有admin角色的用户将能够访问admin URL模式.

---

2) Another option would be to just add the above security-constraint for two different roles i.e. user and admin. User's with user role will be able to access just the select url-pattern and users with admin role will be able to access the admin url-pattern.

我建议使用DIGEST身份验证，因为攻击者可以轻易地欺骗BASIC身份验证.

I would recommend using DIGEST authentication because BASIC authentication can easily be spoofed by attackers.

这篇关于保护Solr中的更新和删除查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！