fixed localhost authorization and replaced the adminRealm with an info

string which is visible in the browser. That makes it possible that the browser instructs the user how to change a forgotten admin password (during runtime).
11 years ago · 57ce7eeff3
parent 62f48a28d6
commit 57ce7eeff3
4 changed files with 16 additions and 4 deletions
--- a/defaults/yacy.init
+++ b/defaults/yacy.init
@ -406,8 +406,8 @@ adminAccountAllPages=false
 #   with additional machines they have to belong to the same realm
 # - authentication defaults to BASIC 
 # - and can be configured in defaults/web.xml , tag <auth-method>
-
-adminRealm=YaCy-AdminUI
+#adminRealm=YaCy-AdminUI
+adminRealm=The YaCy access is limited to administrators. If you don't know the password, you can change it using <yacy-home>/bin/passwd.sh <new-password>

 # if you are running a principal peer, you must update the following variables
 # The upload method that should be used to upload the seed-list file to
--- a/htroot/ConfigAccounts_p.java
+++ b/htroot/ConfigAccounts_p.java
@ -66,7 +66,7 @@ public class ConfigAccounts_p {
            final String pw2  = post.get("adminpw2", "");
            int inputerror=0;
            // may be overwritten if new password is given
-            if (user.length() > 0 && pw1.length() > 3 && pw1.equals(pw2)) {
+            if (user.length() > 0 && pw1.length() > 2 && pw1.equals(pw2)) {
                String oldusername = env.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME,user);
                // check passed. set account:
                // old: // env.setConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, Digest.encodeMD5Hex(Base64Order.standardCoder.encodeString(user + ":" + pw1)));
--- a/source/net/yacy/http/Jetty9YaCySecurityHandler.java
+++ b/source/net/yacy/http/Jetty9YaCySecurityHandler.java
@ -25,12 +25,15 @@
 package net.yacy.http;

 import java.net.MalformedURLException;
+
 import net.yacy.cora.document.id.MultiProtocolURL;
+import net.yacy.cora.order.Base64Order;
 import net.yacy.cora.protocol.Domains;
 import net.yacy.data.UserDB.AccessRight;
 import net.yacy.search.Switchboard;
 import net.yacy.search.SwitchboardConstants;
 import net.yacy.server.serverAccessTracker;
+
 import org.eclipse.jetty.security.ConstraintSecurityHandler;
 import org.eclipse.jetty.security.RoleInfo;
 import org.eclipse.jetty.server.Request;
@ -80,6 +83,15 @@ public class Jetty9YaCySecurityHandler extends ConstraintSecurityHandler {
        if (protectedPage) {
            if (grantedForLocalhost) {
                return null; // quick return for local admin
+            } else if (accessFromLocalhost) {
+                // last chance to authentify using the admin from localhost
+                final String credentials = request.getHeader("Authorization");
+                if (credentials != null && credentials.length() > 60 && credentials.startsWith("Basic ")) {
+                    final String foruser = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");
+                    final String adminAccountBase64MD5 = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
+                    final String b64 = Base64Order.standardCoder.encodeString(foruser + ":" + adminAccountBase64MD5);
+                    if ((credentials.substring(6)).equals(b64)) return null; // lazy authentification for local access with credential from config (only a user with read access to DATA can do that)
+                }
            }
            RoleInfo roleinfo = new RoleInfo();
            roleinfo.setChecked(true); // RoleInfo.setChecked() : in Jetty this means - marked to have any security constraint
--- a/source/net/yacy/http/YaCyLoginService.java
+++ b/source/net/yacy/http/YaCyLoginService.java
@ -56,7 +56,7 @@ public class YaCyLoginService extends MappedLoginService implements LoginService
            // is created for current user (and the pwd checked against the stored  username:pwd setting)
            credential = YaCyLegacyCredential.getCredentialForAdmin(username, adminAccountBase64MD5);
            // TODO: YaCy user:pwd hashes should longterm likely be switched to separable username + pwd-hash entries
-            //       and/or the standard admin account username shuld be fix = "admin"
+            //       and/or the standard admin account username should be fix = "admin"
            roles = new String[]{AccessRight.ADMIN_RIGHT.toString()};
        } else {
            Entry user = sb.userDB.getEntry(username);