fix Jetty9YaCySecurityHandler, length check of Basic credential,

add comment to SwitchboardConstants.AdminAccount const
8 years ago · 811cf637f8
parent fdcf33f08f
commit 811cf637f8
2 changed files with 7 additions and 3 deletions
--- a/source/net/yacy/http/Jetty9YaCySecurityHandler.java
+++ b/source/net/yacy/http/Jetty9YaCySecurityHandler.java
@ -87,10 +87,10 @@ public class Jetty9YaCySecurityHandler extends ConstraintSecurityHandler {
            } else if (accessFromLocalhost) {
                // last chance to authentify using the admin from localhost
                final String credentials = request.getHeader(RequestHeader.AUTHORIZATION);
-                if (credentials != null && credentials.length() > 60 && credentials.startsWith("Basic ")) {
+                if (credentials != null && credentials.length() < 60 && credentials.startsWith("Basic ")) { // Basic credentials are short "Basic " + b64(user:pwd)
                    final String foruser = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");
                    final String adminAccountBase64MD5 = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
-                    final String b64 = Base64Order.standardCoder.encodeString(foruser + ":" + adminAccountBase64MD5);
+                    final String b64 = Base64Order.standardCoder.encodeString(foruser + ":" + adminAccountBase64MD5); // TODO: is this valid? ; consider "MD5:" prefixed config
                    if ((credentials.substring(6)).equals(b64)) return null; // lazy authentification for local access with credential from config (only a user with read access to DATA can do that)
                }
            }
--- a/source/net/yacy/search/SwitchboardConstants.java
+++ b/source/net/yacy/search/SwitchboardConstants.java
@ -43,7 +43,11 @@ public final class SwitchboardConstants {
     * With introduction of DIGEST authentication all passwords are MD5 encoded and calculatd as <code>username:adminrealm:password</code>
     * To differentiate old and new admin passwords, use the new calculated passwords a "MD5:" prefix.
     */
-    public static final String ADMIN_ACCOUNT                = "adminAccount";
+    
+    public static final String ADMIN_ACCOUNT                = "adminAccount"; // not used anymore (did hold clear text  username:pwd)
+
+    // this holds the credential "MD5:" + Digest.encodeMD5Hex(adminAccountUserName + ":" + adminRealm + ":" + password)
+    // or the depreciated old style MapTools.encodeMD5Hex( Base64Order.standardCoder.encode(adminAccountUserName + ":" + password) )
    public static final String ADMIN_ACCOUNT_B64MD5         = "adminAccountBase64MD5";
    public static final String ADMIN_ACCOUNT_USER_NAME      = "adminAccountUserName"; // by default 'admin'
    public static final String ADMIN_ACCOUNT_FOR_LOCALHOST  = "adminAccountForLocalhost";