yacy_search_server/source/net/yacy/http/Jetty9YaCySecurityHandler.java

//
//  YaCySecurityHandler
//  Copyright 2011 by Florian Richter
//  First released 16.04.2011 at http://yacy.net
//  
//  $LastChangedDate$
//  $LastChangedRevision$
//  $LastChangedBy$
//
//  This library is free software; you can redistribute it and/or
//  modify it under the terms of the GNU Lesser General Public
//  License as published by the Free Software Foundation; either
//  version 2.1 of the License, or (at your option) any later version.
//  
//  This library is distributed in the hope that it will be useful,
//  but WITHOUT ANY WARRANTY; without even the implied warranty of
//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
//  Lesser General Public License for more details.
//  
//  You should have received a copy of the GNU Lesser General Public License
//  along with this program in the file lgpl21.txt
//  If not, see <http://www.gnu.org/licenses/>.
//

package net.yacy.http;

import java.net.MalformedURLException;

import net.yacy.cora.document.id.MultiProtocolURL;
import net.yacy.cora.order.Base64Order;
import net.yacy.cora.protocol.Domains;
import net.yacy.data.UserDB.AccessRight;
import net.yacy.search.Switchboard;
import net.yacy.search.SwitchboardConstants;
import net.yacy.server.serverAccessTracker;

import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.RoleInfo;
import org.eclipse.jetty.server.Request;

/**
 * jetty security handler
 * demands authentication for pages with _p. inside
 * and updates AccessTracker
 */
public class Jetty9YaCySecurityHandler extends ConstraintSecurityHandler {
   
     /**
     * create the constraint for the given path
     * for urls containing *_p. (like info_p.html) admin access is required,
     * on localhost = admin setting no constraint is set 
     * @param pathInContext
     * @param request
     * @return RoleInfo with 
     *     isChecked=true if any security contraint applies (compare reference implementation org.eclipse.jetty.security.ConstraintSecurityHandler)
     *     role = "admin" for resource name containint _p.
     */
    @Override
    protected RoleInfo prepareConstraintInfo(String pathInContext, Request request) {
        final Switchboard sb = Switchboard.getSwitchboard();
        final boolean adminAccountGrantedForLocalhost = sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false);
        final boolean adminAccountNeededForAllPages = sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_All_PAGES, false);

        String refererHost;
        // update AccessTracker
        refererHost = request.getRemoteAddr();
        serverAccessTracker.track(refererHost, pathInContext);
        
        try {
            refererHost = new MultiProtocolURL(request.getHeader("Referer")).getHost();
        } catch (MalformedURLException e) {
            refererHost = null;
        }                          
        final boolean accessFromLocalhost = Domains.isLocalhost(request.getRemoteHost()) && (refererHost == null || refererHost.length() == 0 || Domains.isLocalhost(refererHost));
        // ! note : accessFromLocalhost compares localhost ip pattern
        final boolean grantedForLocalhost = adminAccountGrantedForLocalhost && accessFromLocalhost;
        boolean protectedPage = adminAccountNeededForAllPages || (pathInContext.indexOf("_p.") > 0);
        // check "/gsa" and "/solr" if not publicSearchpage
        if (!protectedPage && !sb.getConfigBool(SwitchboardConstants.PUBLIC_SEARCHPAGE, true)) { 
            protectedPage = pathInContext.startsWith("/solr/") || pathInContext.startsWith("/gsa/");                        
        }

        if (protectedPage) {
            if (grantedForLocalhost) {
                return null; // quick return for local admin
            } else if (accessFromLocalhost) {
                // last chance to authentify using the admin from localhost
                final String credentials = request.getHeader("Authorization");
                if (credentials != null && credentials.length() > 60 && credentials.startsWith("Basic ")) {
                    final String foruser = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");
                    final String adminAccountBase64MD5 = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
                    final String b64 = Base64Order.standardCoder.encodeString(foruser + ":" + adminAccountBase64MD5);
                    if ((credentials.substring(6)).equals(b64)) return null; // lazy authentification for local access with credential from config (only a user with read access to DATA can do that)
                }
            }
            RoleInfo roleinfo = new RoleInfo();
            roleinfo.setChecked(true); // RoleInfo.setChecked() : in Jetty this means - marked to have any security constraint
            roleinfo.addRole(AccessRight.ADMIN_RIGHT.toString()); // use AccessRights as role
            return roleinfo; 
        }
        return super.prepareConstraintInfo(pathInContext, request);
    }
}
* authentication implemented with own securityhandler 14 years ago			`//`
			`// YaCySecurityHandler`
			`// Copyright 2011 by Florian Richter`
			`// First released 16.04.2011 at http://yacy.net`
			`//`
			`// $LastChangedDate$`
			`// $LastChangedRevision$`
			`// $LastChangedBy$`
			`//`
			`// This library is free software; you can redistribute it and/or`
			`// modify it under the terms of the GNU Lesser General Public`
			`// License as published by the Free Software Foundation; either`
			`// version 2.1 of the License, or (at your option) any later version.`
			`//`
			`// This library is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`// Lesser General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Lesser General Public License`
			`// along with this program in the file lgpl21.txt`
			`// If not, see <http://www.gnu.org/licenses/>.`
			`//`

			`package net.yacy.http;`

* caching in proxy 14 years ago			`import java.net.MalformedURLException;`
fixed localhost authorization and replaced the adminRealm with an info string which is visible in the browser. That makes it possible that the browser instructs the user how to change a forgotten admin password (during runtime). 10 years ago
removed unused anomichttpd code after migration to jetty 11 years ago			`import net.yacy.cora.document.id.MultiProtocolURL;`
fixed localhost authorization and replaced the adminRealm with an info string which is visible in the browser. That makes it possible that the browser instructs the user how to change a forgotten admin password (during runtime). 10 years ago			`import net.yacy.cora.order.Base64Order;`
* authentication complete (using old credentials from config file) 14 years ago			`import net.yacy.cora.protocol.Domains;`
tweak Jetty credentials to work with YaCy UserDB - user entry in UserDB with admin right can login to access protected pages - dto. admin user, choosen username is stored in conf (adminAccountUserName=) 11 years ago			`import net.yacy.data.UserDB.AccessRight;`
Merge branch 'master' of ssh://gitorious.org/yacy/rc1 into jetty Conflicts: .classpath build.xml htroot/Status.java source/de/anomic/http/server/HTTPDProxyHandler.java source/net/yacy/yacy.java 13 years ago			`import net.yacy.search.Switchboard;`
refactoring (usage of constant names for attributes of authentication check) 11 years ago			`import net.yacy.search.SwitchboardConstants;`
made the access tracker class static because it shall be used by the jetty auth module 11 years ago			`import net.yacy.server.serverAccessTracker;`
fixed localhost authorization and replaced the adminRealm with an info string which is visible in the browser. That makes it possible that the browser instructs the user how to change a forgotten admin password (during runtime). 10 years ago
make SecurityHandler webappcontext ready 11 years ago			`import org.eclipse.jetty.security.ConstraintSecurityHandler;`
update to Jetty 9 jars - include javax.servlet 3.0 11 years ago			`import org.eclipse.jetty.security.RoleInfo;`
* authentication implemented with own securityhandler 14 years ago			`import org.eclipse.jetty.server.Request;`

			`/**`
			`* jetty security handler`
			`* demands authentication for pages with _p. inside`
add call to AccessTracker to jetty security handler 11 years ago			`* and updates AccessTracker`
* authentication implemented with own securityhandler 14 years ago			`*/`
update to Jetty 9 besides adjustments in code it makes the servlet settings in web.xml significant. This applies to solr, gsa and proxy servlet. There is no longer a default setup in code during init (as jetty 9 checks for double definition). 11 years ago			`public class Jetty9YaCySecurityHandler extends ConstraintSecurityHandler {`
make SecurityHandler webappcontext ready 11 years ago
adjust YaCySecurityHandler to Jetty 9 conventions - mainly adjust prepareConstraintInfo to use the RoleInfo.setChecked as in Jetty Source distribution - use constraint check behavior as in ConstraintSecurityHandler see http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/tree/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java?id=jetty-9.0.5.v20130813 11 years ago			`/**`
			`* create the constraint for the given path`
			`* for urls containing *_p. (like info_p.html) admin access is required,`
			`* on localhost = admin setting no constraint is set`
			`* @param pathInContext`
			`* @param request`
			`* @return RoleInfo with`
			`* isChecked=true if any security contraint applies (compare reference implementation org.eclipse.jetty.security.ConstraintSecurityHandler)`
			`* role = "admin" for resource name containint _p.`
			`*/`
update to Jetty 9 jars - include javax.servlet 3.0 11 years ago			`@Override`
			`protected RoleInfo prepareConstraintInfo(String pathInContext, Request request) {`
			`final Switchboard sb = Switchboard.getSwitchboard();`
added flag to require that all web pages, even such without a "_p" extension require authorization. (default off) 11 years ago			`final boolean adminAccountGrantedForLocalhost = sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false);`
			`final boolean adminAccountNeededForAllPages = sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_All_PAGES, false);`
* authentication complete (using old credentials from config file) 14 years ago
* caching in proxy 14 years ago			`String refererHost;`
add call to AccessTracker to jetty security handler 11 years ago			`// update AccessTracker`
			`refererHost = request.getRemoteAddr();`
made the access tracker class static because it shall be used by the jetty auth module 11 years ago			`serverAccessTracker.track(refererHost, pathInContext);`
add call to AccessTracker to jetty security handler 11 years ago
update to Jetty 9 jars - include javax.servlet 3.0 11 years ago			`try {`
fix not necessary use of DigestURL 11 years ago			`refererHost = new MultiProtocolURL(request.getHeader("Referer")).getHost();`
update to Jetty 9 jars - include javax.servlet 3.0 11 years ago			`} catch (MalformedURLException e) {`
			`refererHost = null;`
add call to AccessTracker to jetty security handler 11 years ago			`}`
* authentication complete (using old credentials from config file) 14 years ago			`final boolean accessFromLocalhost = Domains.isLocalhost(request.getRemoteHost()) && (refererHost == null \|\| refererHost.length() == 0 \|\| Domains.isLocalhost(refererHost));`
fixed mess with test on localhost (which means local hosts for some cases) 11 years ago			`// ! note : accessFromLocalhost compares localhost ip pattern`
added flag to require that all web pages, even such without a "_p" extension require authorization. (default off) 11 years ago			`final boolean grantedForLocalhost = adminAccountGrantedForLocalhost && accessFromLocalhost;`
			`boolean protectedPage = adminAccountNeededForAllPages \|\| (pathInContext.indexOf("_p.") > 0);`
- add GSA search /gsa/search servlet for Jetty to Server init - include SecurityHandler check for /gsa/ /solr/ - change one more YaCyDefaultServlet dependency from Jetty to std. javax.Servlet 11 years ago			`// check "/gsa" and "/solr" if not publicSearchpage`
added adminAccount switch to ConfigAccounts_p servlet to switch on protection of all pages; some refactoring as well 11 years ago			`if (!protectedPage && !sb.getConfigBool(SwitchboardConstants.PUBLIC_SEARCHPAGE, true)) {`
- add GSA search /gsa/search servlet for Jetty to Server init - include SecurityHandler check for /gsa/ /solr/ - change one more YaCyDefaultServlet dependency from Jetty to std. javax.Servlet 11 years ago			`protectedPage = pathInContext.startsWith("/solr/") \|\| pathInContext.startsWith("/gsa/");`
			`}`
simulate Authorization cookie for yacy servlet header 11 years ago
			`if (protectedPage) {`
			`if (grantedForLocalhost) {`
			`return null; // quick return for local admin`
fixed localhost authorization and replaced the adminRealm with an info string which is visible in the browser. That makes it possible that the browser instructs the user how to change a forgotten admin password (during runtime). 10 years ago			`} else if (accessFromLocalhost) {`
			`// last chance to authentify using the admin from localhost`
			`final String credentials = request.getHeader("Authorization");`
			`if (credentials != null && credentials.length() > 60 && credentials.startsWith("Basic ")) {`
			`final String foruser = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");`
			`final String adminAccountBase64MD5 = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");`
			`final String b64 = Base64Order.standardCoder.encodeString(foruser + ":" + adminAccountBase64MD5);`
			`if ((credentials.substring(6)).equals(b64)) return null; // lazy authentification for local access with credential from config (only a user with read access to DATA can do that)`
			`}`
code simplifications / removed warnings 11 years ago			`}`
			`RoleInfo roleinfo = new RoleInfo();`
			`roleinfo.setChecked(true); // RoleInfo.setChecked() : in Jetty this means - marked to have any security constraint`
			`roleinfo.addRole(AccessRight.ADMIN_RIGHT.toString()); // use AccessRights as role`
			`return roleinfo;`
update to Jetty 9 jars - include javax.servlet 3.0 11 years ago			`}`
removed warnings 11 years ago			`return super.prepareConstraintInfo(pathInContext, request);`
update to Jetty 9 jars - include javax.servlet 3.0 11 years ago			`}`
* authentication implemented with own securityhandler 14 years ago			`}`