I have an Apache Solr instance deployed in Glassfish and I am using this Solr instance from Java code via Solrj. The thing is, that I want to restrict access to Solr so that just this Java code can access it (the code can run from different IP addresses).

My first thought was to change the web.xml of my deployed Solr instance to add Basic Authentication using a Glassfish’s file-based Realms, because I used this to restrict access to a REST interface in another project. So I’ve added the following lines into the Solr web.xml:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Secure</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>HEAD</http-method>
      <http-method>PUT</http-method>
      <http-method>OPTIONS</http-method>
      <http-method>TRACE</http-method>
      <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
      <description>has to be a USER</description>
      <role-name>USERS</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>userauth</realm-name>
  </login-config>

  <security-role>
    <role-name>USERS</role-name>
  </security-role>

But somehow this thing doesn’t work for Solr access. I don’t get the authentication dialog, which is pretty weird, because it worked in another setup.

In general, is this way of protecting a Solr instance a good approach or should I try another one? In the Solr Security page, they talking about firewalling the Solr instance. I am not a Linux admin, but I think iptables would be a possible solution and there are some nice answers on serverfault (e.g. this one).

What do you think?