From 7d24bcb98dd65b19d70e46c5f3ab0561a7967a3c Mon Sep 17 00:00:00 2001 From: orbiter Date: Thu, 20 Mar 2014 19:09:47 +0100 Subject: [PATCH] added flag to require that all web pages, even such without a "_p" extension require authorization. (default off) --- defaults/yacy.init | 7 +++++++ source/net/yacy/http/Jetty8YaCySecurityHandler.java | 7 ++++--- source/net/yacy/search/SwitchboardConstants.java | 1 + 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/defaults/yacy.init b/defaults/yacy.init index 304b064fa..5ae000d2d 100644 --- a/defaults/yacy.init +++ b/defaults/yacy.init @@ -403,6 +403,13 @@ adminAccountUserName=admin # inaccessibility for installations on headless servers. adminAccountForLocalhost=true +# adminAccountAllPages: if set to false, then all pages without the extension "_p" are +# accessible without authorization. Some servlets may individually decide to use or request +# administration rights. If adminAccountAllPages is set to true, then administration +# rights are needed to access all pages without any exception. Setting adminAccountAllPages +# to true therefore closes the YaCy web pages for everyone. +adminAccountAllPages=false + # adminRealm: a internal name (like a group name) for the login setting of the admin frontend # ATTENTION: changing this name will invalidate all currently password hashes # - With DIGEST authentication mode is this realm name of generated password hashes diff --git a/source/net/yacy/http/Jetty8YaCySecurityHandler.java b/source/net/yacy/http/Jetty8YaCySecurityHandler.java index a23bbebed..6f8a08692 100644 --- a/source/net/yacy/http/Jetty8YaCySecurityHandler.java +++ b/source/net/yacy/http/Jetty8YaCySecurityHandler.java @@ -65,7 +65,8 @@ public class Jetty8YaCySecurityHandler extends ConstraintSecurityHandler { @Override protected RoleInfo prepareConstraintInfo(String pathInContext, Request request) { final Switchboard sb = Switchboard.getSwitchboard(); - final boolean adminAccountForLocalhost = sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false); + final boolean adminAccountGrantedForLocalhost = sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false); + final boolean adminAccountNeededForAllPages = sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_All_PAGES, false); //final String adminAccountBase64MD5 = sb.getConfig(YaCyLegacyCredential.ADMIN_ACCOUNT_B64MD5, ""); String refererHost; @@ -80,8 +81,8 @@ public class Jetty8YaCySecurityHandler extends ConstraintSecurityHandler { } final boolean accessFromLocalhost = Domains.isLocalhost(request.getRemoteHost()) && (refererHost == null || refererHost.length() == 0 || Domains.isLocalhost(refererHost)); // ! note : accessFromLocalhost compares localhost ip pattern - final boolean grantedForLocalhost = adminAccountForLocalhost && accessFromLocalhost; - boolean protectedPage = (pathInContext.indexOf("_p.") > 0); + final boolean grantedForLocalhost = adminAccountGrantedForLocalhost && accessFromLocalhost; + boolean protectedPage = adminAccountNeededForAllPages || (pathInContext.indexOf("_p.") > 0); // check "/gsa" and "/solr" if not publicSearchpage if (!protectedPage && !sb.getConfigBool("publicSearchpage", true)) { protectedPage = pathInContext.startsWith("/solr/") || pathInContext.startsWith("/gsa/"); diff --git a/source/net/yacy/search/SwitchboardConstants.java b/source/net/yacy/search/SwitchboardConstants.java index 47ccea051..fc6c91f77 100644 --- a/source/net/yacy/search/SwitchboardConstants.java +++ b/source/net/yacy/search/SwitchboardConstants.java @@ -47,6 +47,7 @@ public final class SwitchboardConstants { public static final String ADMIN_ACCOUNT_B64MD5 = "adminAccountBase64MD5"; public static final String ADMIN_ACCOUNT_USER_NAME = "adminAccountUserName"; // by default 'admin' public static final String ADMIN_ACCOUNT_FOR_LOCALHOST = "adminAccountForLocalhost"; + public static final String ADMIN_ACCOUNT_All_PAGES = "adminAccountAllPages"; public static final String ADMIN_REALM = "adminRealm"; public static final int CRAWLJOB_SYNC = 0;