From 57ce7eeff321f3e5205415e5cefcf2645afa1eeb Mon Sep 17 00:00:00 2001 From: Michael Peter Christen Date: Tue, 2 Sep 2014 13:15:19 +0200 Subject: [PATCH] fixed localhost authorization and replaced the adminRealm with an info string which is visible in the browser. That makes it possible that the browser instructs the user how to change a forgotten admin password (during runtime). --- defaults/yacy.init | 4 ++-- htroot/ConfigAccounts_p.java | 2 +- source/net/yacy/http/Jetty9YaCySecurityHandler.java | 12 ++++++++++++ source/net/yacy/http/YaCyLoginService.java | 2 +- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/defaults/yacy.init b/defaults/yacy.init index 7da7d22f3..d227705b1 100644 --- a/defaults/yacy.init +++ b/defaults/yacy.init @@ -406,8 +406,8 @@ adminAccountAllPages=false # with additional machines they have to belong to the same realm # - authentication defaults to BASIC # - and can be configured in defaults/web.xml , tag - -adminRealm=YaCy-AdminUI +#adminRealm=YaCy-AdminUI +adminRealm=The YaCy access is limited to administrators. If you don't know the password, you can change it using /bin/passwd.sh # if you are running a principal peer, you must update the following variables # The upload method that should be used to upload the seed-list file to diff --git a/htroot/ConfigAccounts_p.java b/htroot/ConfigAccounts_p.java index 1f55a954a..bcc04f940 100644 --- a/htroot/ConfigAccounts_p.java +++ b/htroot/ConfigAccounts_p.java @@ -66,7 +66,7 @@ public class ConfigAccounts_p { final String pw2 = post.get("adminpw2", ""); int inputerror=0; // may be overwritten if new password is given - if (user.length() > 0 && pw1.length() > 3 && pw1.equals(pw2)) { + if (user.length() > 0 && pw1.length() > 2 && pw1.equals(pw2)) { String oldusername = env.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME,user); // check passed. set account: // old: // env.setConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, Digest.encodeMD5Hex(Base64Order.standardCoder.encodeString(user + ":" + pw1))); diff --git a/source/net/yacy/http/Jetty9YaCySecurityHandler.java b/source/net/yacy/http/Jetty9YaCySecurityHandler.java index 9d6f811a4..00446d704 100644 --- a/source/net/yacy/http/Jetty9YaCySecurityHandler.java +++ b/source/net/yacy/http/Jetty9YaCySecurityHandler.java @@ -25,12 +25,15 @@ package net.yacy.http; import java.net.MalformedURLException; + import net.yacy.cora.document.id.MultiProtocolURL; +import net.yacy.cora.order.Base64Order; import net.yacy.cora.protocol.Domains; import net.yacy.data.UserDB.AccessRight; import net.yacy.search.Switchboard; import net.yacy.search.SwitchboardConstants; import net.yacy.server.serverAccessTracker; + import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.security.RoleInfo; import org.eclipse.jetty.server.Request; @@ -80,6 +83,15 @@ public class Jetty9YaCySecurityHandler extends ConstraintSecurityHandler { if (protectedPage) { if (grantedForLocalhost) { return null; // quick return for local admin + } else if (accessFromLocalhost) { + // last chance to authentify using the admin from localhost + final String credentials = request.getHeader("Authorization"); + if (credentials != null && credentials.length() > 60 && credentials.startsWith("Basic ")) { + final String foruser = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin"); + final String adminAccountBase64MD5 = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, ""); + final String b64 = Base64Order.standardCoder.encodeString(foruser + ":" + adminAccountBase64MD5); + if ((credentials.substring(6)).equals(b64)) return null; // lazy authentification for local access with credential from config (only a user with read access to DATA can do that) + } } RoleInfo roleinfo = new RoleInfo(); roleinfo.setChecked(true); // RoleInfo.setChecked() : in Jetty this means - marked to have any security constraint diff --git a/source/net/yacy/http/YaCyLoginService.java b/source/net/yacy/http/YaCyLoginService.java index 80c099e8d..998e73b98 100644 --- a/source/net/yacy/http/YaCyLoginService.java +++ b/source/net/yacy/http/YaCyLoginService.java @@ -56,7 +56,7 @@ public class YaCyLoginService extends MappedLoginService implements LoginService // is created for current user (and the pwd checked against the stored username:pwd setting) credential = YaCyLegacyCredential.getCredentialForAdmin(username, adminAccountBase64MD5); // TODO: YaCy user:pwd hashes should longterm likely be switched to separable username + pwd-hash entries - // and/or the standard admin account username shuld be fix = "admin" + // and/or the standard admin account username should be fix = "admin" roles = new String[]{AccessRight.ADMIN_RIGHT.toString()}; } else { Entry user = sb.userDB.getEntry(username);