Following up from a tweet kimchy did about the jQuery autocomplete
integration with ElasticSearch, I wondered how I would do the same thing,
but automatically inject on an application layer a 'security' filter.
In our multi-tenanted case we could never expose our ES instance out to the
wild because it combines data between parties and certain people could only
see certain slices of that data (done via a 'security' filter).
One could embed the security filter into the jQuery autocomplete snippet
but obviously anyone with half a brain could easily just strip that out...
So for performance reasons I would like the UI to do the jQuery autocomplete
and send that ajax call to our application tier, which takes that, converts
it back to a Java object version of the query object, injects the
appropriate security filter for this user and submits it to the internal ES
instance. The result stream could just be streamed back direct to the
Can someone point out where in the source code is the JSon structure of a
request to ES converted back to object form.. I'm going blind, again. Is it
the XContentIndexQueryParser ? I'd only want the object that can convert it
back to Java object form without needing all the other ES internals that
But other than that, is there a different pattern someone else has tried for
this sort of thing? Most autocomplete stuff I've seen with ES implies a
direct connect to the ES instance, which in this case isn't a good idea.