Say you do filtering by user - how would you enforce that the client
(if it's a browser) only send in the proper filter?
Ryan already mentioned his technique... and here's how I'd do it
similarly...
Write a custom servlet Filter that grokked roles/authentication
(this piece you'd need in any Java application tier anyway) [or
plugin in an existing implementation through Spring or something
like that] And then massaging of the request to Solr could happen
in that pipeline, or adding a query parameter to the Solr request
(ignoring anything sent by the client request for say, &user=...).
Perhaps plug in a custom SearchComponent that massaged a request
parameter into a Solr filter query or whatever.
right, but the question is still: is there anything general enough to
be in solr core?
Everything I can think of requires a good sense of how the auth model
is encoded in your data and how you want to expose it. Nothing I have
done is general enough to share with even my next project.
The only think I could imagine is perhaps adding "getUserPrincipal()"
to the SolrRequest interface -- but this quickly explodes into also
wanting the request method (POST vs GET) or the user-agent... in the
end I just add the HttpServletRequest to the context and grab stuff
from there. Perhaps the default RequestDispatcher could add the
HttpServletRequest to the context...
Doesn't seem like
you can unless you put all the user authentication stuff and
application logic right in Solr.
;)
Exactly. Sort of.
Now I guess you *could* stick everything in Solr that you would
normally stick in the middle tier, but it doesn't seem like a great
idea to me.
Let's be clear about where we are drawing the boundaries of the
definition of "Solr".
One could say that Solr is solr.war and the HTTP conventions. Or is
it solr.jar? Or is it the SolrJ API?
all of the above :)
In my view we need to be clear about who solr.war is packaged for. I
think we are pretty clear that solr.war should be thought of similar
to a MySQL install -- that is a database server that unless you
*really* know what you are doing should most likely be behind a
firewall.
solr.jar on the other hand lets you package what you want around
search features to build a setup for your needs. Java already has so
many options for how to secure / authenticate that you can just plug
them into your own app. (if that is appropriate). In the past I have
used a filter based on:
http://www.onjava.com/pub/a/onjava/2004/03/24/loadcontrol.html
to limit load -- however I have found that in any site where stability/
load and uptime are a serious concern, this is better handled in a
tier in front of java -- typically the loadbalancer / haproxy /
whatever -- and managed by people more cautious then me.
ryan
