boxtec
/
yacy_search_server
mirror of https://github.com/yacy/yacy_search_server
4
1
Fork 0
Code Issues Projects Releases Wiki Activity

using cookieAuth.

Browse Source 
logout for httpauth seems to be broken :-(

git-svn-id: https://svn.berlios.de/svnroot/repos/yacy/trunk@2202 6c8d7289-2bf4-0310-a012-ef5d649a1542
pull/1/head
allo 19 years ago
parent 7f51a43cba
commit b23703f260
6 changed files with 148 additions and 99 deletions
Show Stats Download Patch File Download Diff File

26
htroot/CookieTest.java
Unescape View File

@ -80,7 +80,7 @@ public class CookieTest {
for(int i=0;i<coockie.length;i++) for(int i=0;i<coockie.length;i++)
{ {
String nameValue[]=coockie[i].split("="); String nameValue[]=coockie[i].split("=");
outgoingHeader.setCoockie(nameValue[0].trim(),nameValue.length>1?(nameValue[1].trim()):"","Thu, 01-Jan-99 00:00:01 GMT"); outgoingHeader.setCookie(nameValue[0].trim(),nameValue.length>1?(nameValue[1].trim()):"","Thu, 01-Jan-99 00:00:01 GMT");
} }
} }
@ -95,31 +95,21 @@ public class CookieTest {
} }
else if(post.containsKey("act")&&post.get("act").equals("set_cookie")) else if(post.containsKey("act")&&post.get("act").equals("set_cookie"))
{ {
String CoockieName = post.get("cookie_name").toString().trim(); String cookieName = post.get("cookie_name").toString().trim();
String CoockieValue = post.get("cookie_value").toString().trim(); String cookieValue = post.get("cookie_value").toString().trim();
httpHeader outgoingHeader=new httpHeader(); httpHeader outgoingHeader=new httpHeader();
outgoingHeader.setCoockie(CoockieName,CoockieValue); outgoingHeader.setCookie(cookieName,cookieValue);
prop.setOutgoingHeader(outgoingHeader); prop.setOutgoingHeader(outgoingHeader);
prop.put("cookiesin",1); prop.put("cookiesin",1);
prop.put("cookiesin_0_name",CoockieName); prop.put("cookiesin_0_name",cookieName);
prop.put("cookiesin_0_value",CoockieValue); prop.put("cookiesin_0_value",cookieValue);
//header. //header.
} }
Iterator it = header.entrySet().iterator();
while(it.hasNext())
{
java.util.Map.Entry e = (Entry) it.next();
System.out.println(""+e.getKey()+" : "+e.getValue());
if(e.getKey().equals("Cookie"))
{
prop.put("cookiesout",1);
prop.put("cookiesout_0_string",e.getValue().toString().replaceAll(";",";<br />"));
}
}
prop.put("cookiesout",1);
prop.put("cookiesout_0_string", header.getHeaderCookies().replaceAll(";",";<br />"));
return prop; return prop;
} }

2
htroot/User.html
Unescape View File

@ -17,7 +17,7 @@ Password: <input type="password" name="password"><br />
</form> </form>
:: ::
You are currently logged in as #[username]#.<br /> You are currently logged in as #[username]#.<br />
(Identified by #(identified-by)#IP::Username/Password#(/identified-by)#)<br /> (Identified by #(identified-by)#IP::Username/Password::Cookie#(/identified-by)#)<br />
<form action="User.html"> <form action="User.html">
<input type="submit" name="logout" value="logout"> <input type="submit" name="logout" value="logout">
</form> </form>

93
htroot/User.java
Unescape View File

@ -57,7 +57,17 @@ import de.anomic.server.serverSwitch;
public class User{ public class User{
private static String getLoginToken(String cookies){
String[] cookie=cookies.split(";"); //TODO: Mozilla uses
String[] pair;
for(int i=0;i<cookie.length;i++){
pair=cookie[i].split("=");
if(pair[0].trim().equals("login")){
return pair[1].trim();
}
}
return "";
}
public static serverObjects respond(httpHeader header, serverObjects post, serverSwitch env) { public static serverObjects respond(httpHeader header, serverObjects post, serverSwitch env) {
serverObjects prop = new serverObjects(); serverObjects prop = new serverObjects();
plasmaSwitchboard sb = plasmaSwitchboard.getSwitchboard(); plasmaSwitchboard sb = plasmaSwitchboard.getSwitchboard();
@ -70,43 +80,60 @@ public class User{
//identified via HTTPPassword //identified via HTTPPassword
entry=sb.userDB.proxyAuth(((String) header.get(httpHeader.AUTHORIZATION, "xxxxxx"))); entry=sb.userDB.proxyAuth(((String) header.get(httpHeader.AUTHORIZATION, "xxxxxx")));
if(entry != null){ if(entry != null){
prop.put("logged-in_identified-by", 1); prop.put("logged-in_identified-by", 1);
//identified via form-login //try via cookie
//TODO: this does not work for a static admin, yet.
}else if(post != null && post.containsKey("username") && post.containsKey("password")){
entry=sb.userDB.passwordAuth((String)post.get("username"), (String)post.get("password"), (String)header.get("CLIENTIP", "xxxxxx"));
prop.put("logged-in_identified-by", 1);
if(post.containsKey("returnto")){
prop.put("LOCATION", (String)post.get("returnto"));
}
//identified via ip.
}else{ }else{
entry=sb.userDB.ipAuth(((String)header.get("CLIENTIP", "xxxxxx"))); entry=sb.userDB.cookieAuth(getLoginToken(header.getHeaderCookies()));
if(entry != null){ prop.put("logged-in_identified-by", 2);
prop.put("logged-in_identified-by", 0); //try via ip
} if(entry == null){
entry=sb.userDB.ipAuth(((String)header.get("CLIENTIP", "xxxxxx")));
if(entry != null){
prop.put("logged-in_identified-by", 0);
}
}
} }
//Logged in via UserDB
//identified via userDB
if(entry != null){ if(entry != null){
prop.put("logged-in", 1); prop.put("logged-in", 1);
prop.put("logged-in_username", entry.getUserName()); prop.put("logged-in_username", entry.getUserName());
if(entry.getTimeLimit() > 0){ if(entry.getTimeLimit() > 0){
prop.put("logged-in_limit", 1); prop.put("logged-in_limit", 1);
long limit=entry.getTimeLimit(); long limit=entry.getTimeLimit();
long used=entry.getTimeUsed(); long used=entry.getTimeUsed();
prop.put("logged-in_limit_timelimit", limit); prop.put("logged-in_limit_timelimit", limit);
prop.put("logged-in_limit_timeused", used); prop.put("logged-in_limit_timeused", used);
int percent=0; int percent=0;
if(limit!=0 && used != 0) if(limit!=0 && used != 0)
percent=(int)((float)used/(float)limit*100); percent=(int)((float)used/(float)limit*100);
prop.put("logged-in_limit_percent", percent/3); prop.put("logged-in_limit_percent", percent/3);
prop.put("logged-in_limit_percent2", (100-percent)/3); prop.put("logged-in_limit_percent2", (100-percent)/3);
} }
//logged in via static Password //logged in via static Password
}else if(sb.verifyAuthentication(header, true)){ }else if(sb.verifyAuthentication(header, true)){
prop.put("logged-in", 2); prop.put("logged-in", 2);
//not logged in //identified via form-login
//TODO: this does not work for a static admin, yet.
}else if(post != null && post.containsKey("username") && post.containsKey("password")){
//entry=sb.userDB.passwordAuth((String)post.get("username"), (String)post.get("password"), (String)header.get("CLIENTIP", "xxxxxx"));
entry=sb.userDB.passwordAuth((String)post.get("username"), (String)post.get("password"));
if(entry != null){
//set a random token in a cookie
String cookie=sb.userDB.getCookie(entry);
httpHeader outgoingHeader=new httpHeader();
outgoingHeader.setCookie("login", cookie);
prop.setOutgoingHeader(outgoingHeader);
prop.put("logged-in", 1);
prop.put("logged-in_identified-by", 1);
prop.put("logged-in_username", entry.getUserName());
if(post.containsKey("returnto")){
prop.put("LOCATION", (String)post.get("returnto"));
}
}
} }
if(post!= null && entry != null){ if(post!= null && entry != null){
if(post.containsKey("changepass")){ if(post.containsKey("changepass")){
prop.put("status", 1); //password prop.put("status", 1); //password
@ -131,9 +158,9 @@ public class User{
if(post!=null && post.containsKey("logout")){ if(post!=null && post.containsKey("logout")){
prop.put("logged-in",0); prop.put("logged-in",0);
if(entry != null){ if(entry != null){
entry.logout(((String)header.get("CLIENTIP", "xxxxxx"))); entry.logout(((String)header.get("CLIENTIP", "xxxxxx")), getLoginToken(header.getHeaderCookies())); //todo: logout cookie
} }
if(sb.verifyAuthentication(header, true)){ if(sb.verifyAuthentication(header, true)){ //XXX: for httpauth userDB user, too?
prop.put("AUTHENTICATE","admin log-in"); prop.put("AUTHENTICATE","admin log-in");
} }
} }

24
source/de/anomic/data/userDB.java
Unescape View File

@ -52,6 +52,7 @@ import java.util.HashMap;
import java.util.HashSet; import java.util.HashSet;
import java.util.Iterator; import java.util.Iterator;
import java.util.Map; import java.util.Map;
import java.util.Random;
import de.anomic.kelondro.kelondroBase64Order; import de.anomic.kelondro.kelondroBase64Order;
import de.anomic.kelondro.kelondroDyn; import de.anomic.kelondro.kelondroDyn;
@ -69,6 +70,7 @@ public final class userDB {
private final File userTableFile; private final File userTableFile;
private final int bufferkb; private final int bufferkb;
private HashMap ipUsers = new HashMap(); private HashMap ipUsers = new HashMap();
private HashMap cookieUsers = new HashMap();
public userDB(File userTableFile, int bufferkb) { public userDB(File userTableFile, int bufferkb) {
this.userTableFile = userTableFile; this.userTableFile = userTableFile;
@ -181,6 +183,9 @@ public final class userDB {
* it tests both userDB and oldstyle adminpw. * it tests both userDB and oldstyle adminpw.
* @param auth the http-headerline for authorisation * @param auth the http-headerline for authorisation
*/ */
public boolean hasAdminRight(String auth, String ip, String cookies){
return hasAdminRight(auth);
}
public boolean hasAdminRight(String auth){ public boolean hasAdminRight(String auth){
plasmaSwitchboard sb=plasmaSwitchboard.getSwitchboard(); plasmaSwitchboard sb=plasmaSwitchboard.getSwitchboard();
String adminAccountBase64MD5 = sb.getConfig("adminAccountBase64MD5", ""); String adminAccountBase64MD5 = sb.getConfig("adminAccountBase64MD5", "");
@ -241,7 +246,7 @@ public final class userDB {
return null; return null;
} }
entry.updateLastAccess(false); entry.updateLastAccess(false);
this.ipUsers.put(ip, entry.getUserName()); this.ipUsers.put(ip, entry.getUserName()); //XXX: This is insecure. TODO: use cookieauth
return entry; return entry;
} }
public Entry md5Auth(String user, String md5){ public Entry md5Auth(String user, String md5){
@ -256,6 +261,17 @@ public final class userDB {
} }
return entry; return entry;
} }
public Entry cookieAuth(String cookieString){
if(cookieUsers.containsKey(cookieString))
return (Entry) cookieUsers.get(cookieString);
return null;
}
public String getCookie(Entry entry){
Random r = new Random();
String token = Long.toString(Math.abs(r.nextLong()), 36);
cookieUsers.put(token, entry);
return token;
}
public class Entry { public class Entry {
public static final String MD5ENCODED_USERPWD_STRING = "MD5_user:pwd"; public static final String MD5ENCODED_USERPWD_STRING = "MD5_user:pwd";
@ -473,6 +489,12 @@ public final class userDB {
public boolean isLoggedOut(){ public boolean isLoggedOut(){
return (this.mem.containsKey(LOGGED_OUT)?((String)this.mem.get(LOGGED_OUT)).equals("true"):false); return (this.mem.containsKey(LOGGED_OUT)?((String)this.mem.get(LOGGED_OUT)).equals("true"):false);
} }
public void logout(String ip, String cookieString){
logout(ip);
if(cookieUsers.containsKey(cookieString)){
cookieUsers.remove(cookieString);
}
}
public void logout(String ip){ public void logout(String ip){
try{ try{
setProperty(LOGGED_OUT, "true"); setProperty(LOGGED_OUT, "true");

96
source/de/anomic/http/httpHeader.java
Unescape View File

@ -73,6 +73,7 @@ import java.util.Properties;
import java.util.TimeZone; import java.util.TimeZone;
import java.util.TreeMap; import java.util.TreeMap;
import java.util.Vector; import java.util.Vector;
import java.util.Map.Entry;
import de.anomic.server.serverCore; import de.anomic.server.serverCore;
import de.anomic.server.logging.serverLog; import de.anomic.server.logging.serverLog;
@ -776,15 +777,15 @@ public final class httpHeader extends TreeMap implements Map {
* Patch BEGIN: * Patch BEGIN:
* Name: Header Property Patch * Name: Header Property Patch
* Date: Fri. 13.01.2006 * Date: Fri. 13.01.2006
* Description: Makes possible to send header properties such as coockies back to the client. * Description: Makes possible to send header properties such as cookies back to the client.
* Part 1 of 5 * Part 1 of 5
* Questions: sergej.z@list.ru * Questions: sergej.z@list.ru
*/ */
/** /**
* Holds header properties * Holds header properties
*/ */
//Since properties such as coockies can be multiple, we cannot use HashMap here. We have to use Vector. //Since properties such as cookies can be multiple, we cannot use HashMap here. We have to use Vector.
private Vector coockies=new Vector(); private Vector cookies=new Vector();
/** /**
* *
* Implementation of Map.Entry. Structure that hold two values - exactly what we need! * Implementation of Map.Entry. Structure that hold two values - exactly what we need!
@ -802,89 +803,102 @@ public final class httpHeader extends TreeMap implements Map {
/** /**
* Sets Cookie on the client machine. * Sets Cookie on the client machine.
* *
* @param name: Coockie name * @param name: Cookie name
* @param value: Coockie value * @param value: Cookie value
* @param expires: when should this coockie be autmatically deleted. If <b>null</b> - coockie will stay forever * @param expires: when should this cookie be autmatically deleted. If <b>null</b> - cookie will stay forever
* @param path: Path the coockie belongs to. Default - "/". Can be <b>null</b>. * @param path: Path the cookie belongs to. Default - "/". Can be <b>null</b>.
* @param domain: Domain this cookie belongs to. Default - domain name. Can be <b>null</b>. * @param domain: Domain this cookie belongs to. Default - domain name. Can be <b>null</b>.
* @param secure: If true coockie will be send only over safe connection such as https * @param secure: If true cookie will be send only over safe connection such as https
* Further documentation at <a href="http://docs.sun.com/source/816-6408-10/cookies.htm">docs.sun.com</a> * Further documentation at <a href="http://docs.sun.com/source/816-6408-10/cookies.htm">docs.sun.com</a>
*/ */
public void setCoockie(String name, String value, String expires, String path, String domain, boolean secure) public void setCookie(String name, String value, String expires, String path, String domain, boolean secure)
{ {
/* /*
* TODO:Here every value can be validated for correctness if needed * TODO:Here every value can be validated for correctness if needed
* For example semicolon should be not in any of the values * For example semicolon should be not in any of the values
* However an exception in this case would be an overhead IMHO. * However an exception in this case would be an overhead IMHO.
*/ */
String coockieString=name+"="+value+";"; String cookieString=name+"="+value+";";
if(expires!=null) if(expires!=null)
coockieString+=" expires="+expires+";"; cookieString+=" expires="+expires+";";
if(path!=null) if(path!=null)
coockieString+=" path="+path+";"; cookieString+=" path="+path+";";
if(domain!=null) if(domain!=null)
coockieString+=" domain="+domain+";"; cookieString+=" domain="+domain+";";
if(secure) if(secure)
coockieString+=" secure;"; cookieString+=" secure;";
coockies.add(new Entry("Set-Cookie",coockieString)); cookies.add(new Entry("Set-Cookie",cookieString));
} }
/** /**
* Sets Cookie on the client machine. * Sets Cookie on the client machine.
* *
* @param name: Coockie name * @param name: Cookie name
* @param value: Coockie value * @param value: Cookie value
* @param expires: when should this coockie be autmatically deleted. If <b>null</b> - coockie will stay forever * @param expires: when should this cookie be autmatically deleted. If <b>null</b> - cookie will stay forever
* @param path: Path the coockie belongs to. Default - "/". Can be <b>null</b>. * @param path: Path the cookie belongs to. Default - "/". Can be <b>null</b>.
* @param domain: Domain this cookie belongs to. Default - domain name. Can be <b>null</b>. * @param domain: Domain this cookie belongs to. Default - domain name. Can be <b>null</b>.
* *
* Note: this coockie will be sent over each connection independend if it is safe connection or not. * Note: this cookie will be sent over each connection independend if it is safe connection or not.
* Further documentation at <a href="http://docs.sun.com/source/816-6408-10/cookies.htm">docs.sun.com</a> * Further documentation at <a href="http://docs.sun.com/source/816-6408-10/cookies.htm">docs.sun.com</a>
*/ */
public void setCoockie(String name, String value, String expires, String path, String domain) public void setCookie(String name, String value, String expires, String path, String domain)
{ {
setCoockie( name, value, expires, path, domain, false); setCookie( name, value, expires, path, domain, false);
} }
/** /**
* Sets Cookie on the client machine. * Sets Cookie on the client machine.
* *
* @param name: Coockie name * @param name: Cookie name
* @param value: Coockie value * @param value: Cookie value
* @param expires: when should this coockie be autmatically deleted. If <b>null</b> - coockie will stay forever * @param expires: when should this cookie be autmatically deleted. If <b>null</b> - cookie will stay forever
* @param path: Path the coockie belongs to. Default - "/". Can be <b>null</b>. * @param path: Path the cookie belongs to. Default - "/". Can be <b>null</b>.
* *
* Note: this coockie will be sent over each connection independend if it is safe connection or not. * Note: this cookie will be sent over each connection independend if it is safe connection or not.
* Further documentation at <a href="http://docs.sun.com/source/816-6408-10/cookies.htm">docs.sun.com</a> * Further documentation at <a href="http://docs.sun.com/source/816-6408-10/cookies.htm">docs.sun.com</a>
*/ */
public void setCoockie(String name, String value, String expires, String path) public void setCookie(String name, String value, String expires, String path)
{ {
setCoockie( name, value, expires, path, null, false); setCookie( name, value, expires, path, null, false);
} }
/** /**
* Sets Cookie on the client machine. * Sets Cookie on the client machine.
* *
* @param name: Coockie name * @param name: Cookie name
* @param value: Coockie value * @param value: Cookie value
* @param expires: when should this coockie be autmatically deleted. If <b>null</b> - coockie will stay forever * @param expires: when should this cookie be autmatically deleted. If <b>null</b> - cookie will stay forever
* *
* Note: this coockie will be sent over each connection independend if it is safe connection or not. * Note: this cookie will be sent over each connection independend if it is safe connection or not.
* Further documentation at <a href="http://docs.sun.com/source/816-6408-10/cookies.htm">docs.sun.com</a> * Further documentation at <a href="http://docs.sun.com/source/816-6408-10/cookies.htm">docs.sun.com</a>
*/ */
public void setCoockie(String name, String value, String expires) public void setCookie(String name, String value, String expires)
{ {
setCoockie( name, value, expires, null, null, false); setCookie( name, value, expires, null, null, false);
} }
/** /**
* Sets Cookie on the client machine. * Sets Cookie on the client machine.
* *
* @param name: Coockie name * @param name: Cookie name
* @param value: Coockie value * @param value: Cookie value
* *
* Note: this coockie will be sent over each connection independend if it is safe connection or not. This coockie never expires * Note: this cookie will be sent over each connection independend if it is safe connection or not. This cookie never expires
* Further documentation at <a href="http://docs.sun.com/source/816-6408-10/cookies.htm">docs.sun.com</a> * Further documentation at <a href="http://docs.sun.com/source/816-6408-10/cookies.htm">docs.sun.com</a>
*/ */
public void setCoockie(String name, String value ) public void setCookie(String name, String value )
{ {
setCoockie( name, value, null, null, null, false); setCookie( name, value, null, null, null, false);
}
public String getHeaderCookies(){
Iterator it = this.entrySet().iterator();
while(it.hasNext())
{
java.util.Map.Entry e = (java.util.Map.Entry) it.next();
System.out.println(""+e.getKey()+" : "+e.getValue());
if(e.getKey().equals("Cookie"))
{
return e.getValue().toString();
}
}
return "";
} }
/** /**
* Returns an iterator within all properties can be reached. * Returns an iterator within all properties can be reached.
@ -903,7 +917,7 @@ public final class httpHeader extends TreeMap implements Map {
*/ */
public Iterator getCookies() public Iterator getCookies()
{ {
return coockies.iterator(); return cookies.iterator();
} }
/* /*
* Patch END: * Patch END:

6
source/de/anomic/http/httpdFileHandler.java
Unescape View File

@ -318,11 +318,7 @@ public final class httpdFileHandler extends httpdAbstractHandler implements http
if ((path.substring(0,(pos==-1)?path.length():pos)).endsWith("_p") && (adminAccountBase64MD5.length() != 0)) { if ((path.substring(0,(pos==-1)?path.length():pos)).endsWith("_p") && (adminAccountBase64MD5.length() != 0)) {
// authentication required // authentication required
//FIXME: Form-Login is broken, until the Auth is fixed. if( (authorization != null && sb.userDB.hasAdminRight(authorization, conProp.getProperty("CLIENTIP"), requestHeader.getHeaderCookies()))){
//ipAuth is too insecure, if the users uses a proxy.
//TODO: cookieAuth or something like this.
userDB.Entry entry=null; //sb.userDB.ipAuth(conProp.getProperty(httpHeader.CONNECTION_PROP_CLIENTIP));
if( (entry != null && entry.hasAdminRight()) || (authorization != null && sb.userDB.hasAdminRight(authorization)) ){
//Authentication successful. remove brute-force flag //Authentication successful. remove brute-force flag
serverCore.bfHost.remove(conProp.getProperty("CLIENTIP")); serverCore.bfHost.remove(conProp.getProperty("CLIENTIP"));
}else if (authorization == null) { }else if (authorization == null) {

Write Preview
Loading…
Cancel
Save