Apache Solr | Securing Solr: Basic Authentication
  1. Enable Basic Authentication
  1. Enable Basic Authentication
    See this page for more details about securing Solr: https://lucene.apache.org/solr/guide/8_5/securing-solr.html

    Apache Solr/Basic Authentication - Login

    First, create a security.json file:
    {
  "authentication":{
    "blockUnknown": true,
    "class":"solr.BasicAuthPlugin",
    "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="},
    "realm":"My Solr users",
    "forwardCredentials": false
  },
  "authorization":{
    "class":"solr.RuleBasedAuthorizationPlugin",
    "permissions":[{"name":"all", "role":"admin"}],
    "user-role":{"solr":"admin"}
  }
}

    In the "security.json" file (above) a user called "solr", with a password "SolrRocks" has been defined.
    It's assigned to "admin" role and has permissions set to "all".

    Usernames and passwords (as a "sha256(password+salt)" hash) could be added when the file is created, or can be added later with the Basic authentication API. To create you own password you can use the following java code (make sure you have "solr-core" in your classpath):

    byte[] salt = new byte[32];
new java.security.SecureRandom().nextBytes(salt);
String saltBase64 = org.apache.commons.codec.binary.Base64.encodeBase64String(salt);
System.out.println(org.apache.solr.security.Sha256AuthenticationProvider.sha256("mynewpassword", saltBase64) + " " + saltBase64);

    If you are using Solr in Standalone mode, you should put "security.json" file in "$SOLR_HOME" directory.

    If you are using SolrCloud, you must upload "security.json" file to ZooKeeper:

    $ /opt/solr/bin/solr zk cp file:/opt/security.json zk:/solr/security.json -z localhost:2181

    Notes about "security.json" file:

    • The parameter "blockUnknown" is set to "true", which means that unauthenticated requests will be rejected.
      If parameter "blockUnknown" is not set in the "security.json" file, it will default to "false", which means that authentication is not enabled.

    • The parameter "forwardCredentials" is set to "false" which means that Solr’s PKI authentication will handle distributed requests instead of forwarding the Basic Auth header.

    • The parameter "realm" is set to "My Solr users".
      If the parameter "realm" is not set, it will default to "solr".
      This will be shown on the login prompt: "Please log in with your username and password for realm My Solr users.".
© 2025  mtitek