Yes, that's the general model. Use a layer in between your clients and Solr to restrict access to what you wish to let people to do.
Generally speaking, you should expose a SearchHandler that hardcodes the fl param to prevent retrieval of your full text field, and uses a filter query param to limit access to documents you don't want to allow access to. Then put a lightweight proxy in front of Solr that only accesses that handler, and stick Solr behind a firewall. That way, you're not providing access to the update or admin functions or some of the more compute intensive query functions. Michael Della Bitta Applications Developer o: +1 646 532 3062 appinions inc. “The Science of Influence Marketing” 18 East 41st Street New York, NY 10017 t: @appinions <https://twitter.com/Appinions> | g+: plus.google.com/appinions <https://plus.google.com/u/0/b/112002776285509593336/112002776285509593336/posts> w: appinions.com <http://www.appinions.com/> On Mon, Jun 23, 2014 at 9:12 AM, Bjørn Axelsen < bjorn.axel...@fagkommunikation.dk> wrote: > Thanks, Michael ... so if I plan to do client-side ajax, you would suggest > to call back an ajax proxy rather than query the Solr instance directly? > > 2014-06-23 14:57 GMT+02:00 Michael Della Bitta < > michael.della.bi...@appinions.com>: > > > Unfortunately, it's not really advisable to allow open access to Solr to > > the open web. > > > > There are many avenues of DOSing a Solr install otherwise, and depending > on > > how it's configured, some more intrusive vulnerabilities. > > > > Michael Della Bitta > > > > Applications Developer > > > > o: +1 646 532 3062 > > > > appinions inc. > > > > “The Science of Influence Marketing” > > > > 18 East 41st Street > > > > New York, NY 10017 > > > > t: @appinions <https://twitter.com/Appinions> | g+: > > plus.google.com/appinions > > < > > > https://plus.google.com/u/0/b/112002776285509593336/112002776285509593336/posts > > > > > w: appinions.com <http://www.appinions.com/> > > > > > > On Mon, Jun 23, 2014 at 8:52 AM, Bjørn Axelsen < > > bjorn.axel...@fagkommunikation.dk> wrote: > > > > > Dear Solr users, > > > > > > I am building a Solr 4.8 search engine that will hold documents > > containing > > > subscription-only content. We want potential customers to be able to > > search > > > the full content. And we also want to show them highlighted context > > > snippets from the full contents. > > > > > > So, I have included the full text as a stored field in order to show > the > > > context snippets. > > > > > > For ease of implementation across multiple sites I prefer access to the > > > Solr query URL to be open (no HTTP basic authentication etc.). > > > > > > However, we do not want to expose the full text to the public (paid > > > content). > > > > > > What would be the most simple way to > > > > > > 1) provide highlighted context snippets from the full content field, > > > 2) block access to read the full field contents? > > > > > > Regards, > > > > > > Bjørn Axelsen > > > Web Consultant > > > Fagkommunikation Webbureau som formidler viden > > > Schillerhuset · Nannasgade 28 · 2200 København N · +45 60660669 > · > > > i...@fagkommunikation.dk · fagkommunikation.dk > > > > > >
