http://community.zimbra.com/documentation/w/documentation/securing-solr-on-tomcat
Securing Solr on Tomcat
Note: Throughout this document the reference [Tomcat install dir] is the directory where Tomcat is installed. Typically, this is C:\Program Files\Apache Software Foundation\Tomcat 6.0 or C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0.
Restricting access using a user account
-
Open [Tomcat install dir]\tomcat-users.xml for editing.
-
Add the following lines within the <tomcat-user> element and save the changes (using your own username and password):
<role rolename="solr_admin"/>
<user username="your_username"
password="your_password"
roles="solr_admin"
/>Open [Tomcat install dir]\webapps\solr\WEB-INF\web.xml for editing.
"solr" in the path is the name of the instance you want to secure. Typically this is "solr," but may be different if you are running an advanced setup.
-
Add the following lines within the <web-app> element:
<security-constraint> <web-resource-collection> <web-resource-name>Solr Lockdown</web-resource-name> <url-pattern>/</url-pattern> </web-resource-collection> <auth-constraint> <role-name>solr_admin</role-name> <role-name>admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>Solr</realm-name> </login-config>
-
Save the changes and restart Tomcat. Test your changes by starting a new browser session and navigating to your site, for ex. http://localhost:8080/solr/. You should be prompted for credentials.
-
Download the following communityserver_override.config file.
-
Place this file in the root of your Web site directory.
-
Find the section in this file which is highlighted below and change it to read
http://your_username:your_password@localhost:8080/solr
replacing "your_username" and "your_password" and the host URI with the configured values12345<
Override
xpath
=
"/CommunityServer/Search/Solr"
mode
=
"change"
name
=
"host"
/>
-
Save changes.