boxtec
/
yacy_search_server
mirror of https://github.com/yacy/yacy_search_server
4
1
Fork 0
Code Issues Projects Releases Wiki Activity

implementing YaCy legacy role names

Browse Source 
- taking out customized SecurityHandler code as the original/default seems to just work fine
- with this individual sec. constraints can be applied via web.xml (using legacy role names)
pull/1/head
reger 11 years ago
parent 530b9f6de8
commit cb6d0c2113
2 changed files with 19 additions and 137 deletions
Show Stats Download Patch File Download Diff File

125
source/net/yacy/http/Jetty8YaCySecurityHandler.java
Unescape View File

@ -24,14 +24,7 @@
package net.yacy.http;
import java.io.IOException;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import javax.servlet.http.HttpServletResponse;
import net.yacy.cora.document.id.MultiProtocolURL;
import net.yacy.cora.protocol.Domains;
@ -40,15 +33,9 @@ import net.yacy.search.Switchboard;
import net.yacy.search.SwitchboardConstants;
import net.yacy.server.serverAccessTracker;
import org.eclipse.jetty.http.HttpSchemes;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.RoleInfo;
import org.eclipse.jetty.security.UserDataConstraint;
import org.eclipse.jetty.server.AbstractHttpConnection;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.server.UserIdentity;
/**
* jetty security handler
@ -65,110 +52,6 @@ public class Jetty8YaCySecurityHandler extends ConstraintSecurityHandler {
}
}
@Override
protected boolean checkUserDataPermissions(String pathInContext, Request request, Response response, Object constraintInfo) throws IOException
// check the SecurityHandler code, denying here does not provide authentication
// - identical with ConstraintSecurityHandler.checkUserDataPermissions implementation of Jetty source distribution
{
if (constraintInfo == null)
return true;
RoleInfo roleInfo = (RoleInfo)constraintInfo;
if (roleInfo.isForbidden())
return false;
UserDataConstraint dataConstraint = roleInfo.getUserDataConstraint();
if (dataConstraint == null || dataConstraint == UserDataConstraint.None)
{
return true;
}
AbstractHttpConnection connection = AbstractHttpConnection.getCurrentConnection();
Connector connector = connection.getConnector();
if (dataConstraint == UserDataConstraint.Integral)
{
if (connector.isIntegral(request))
return true;
if (connector.getIntegralPort() > 0)
{
String scheme=connector.getIntegralScheme();
int port=connector.getIntegralPort();
String url = (HttpSchemes.HTTPS.equalsIgnoreCase(scheme) && port==443)
? "https://"+request.getServerName()+request.getRequestURI()
: scheme + "://" + request.getServerName() + ":" + port + request.getRequestURI();
if (request.getQueryString() != null)
url += "?" + request.getQueryString();
response.setContentLength(0);
response.sendRedirect(url);
}
else
response.sendError(HttpServletResponse.SC_FORBIDDEN,"!Integral");
request.setHandled(true);
return false;
}
else if (dataConstraint == UserDataConstraint.Confidential)
{
if (connector.isConfidential(request))
return true;
if (connector.getConfidentialPort() > 0)
{
String scheme=connector.getConfidentialScheme();
int port=connector.getConfidentialPort();
String url = (HttpSchemes.HTTPS.equalsIgnoreCase(scheme) && port==443)
? "https://"+request.getServerName()+request.getRequestURI()
: scheme + "://" + request.getServerName() + ":" + port + request.getRequestURI();
if (request.getQueryString() != null)
url += "?" + request.getQueryString();
response.setContentLength(0);
response.sendRedirect(url);
}
else
response.sendError(HttpServletResponse.SC_FORBIDDEN,"!Confidential");
request.setHandled(true);
return false;
}
else
{
throw new IllegalArgumentException("Invalid dataConstraint value: " + dataConstraint);
}
}
@Override
protected boolean checkWebResourcePermissions(String pathInContext, Request request,
Response response, Object constraintInfo, UserIdentity userIdentity) throws IOException {
// deny and request for authentication, if necessary
// - identical with ConstraintSecurityHandler.checkWebResourcePermissions implementation of Jetty source distribution
if (constraintInfo == null) {
return true;
}
RoleInfo roleInfo = (RoleInfo) constraintInfo;
if (!roleInfo.isChecked()) {
return true;
}
if (roleInfo.isAnyRole() && request.getAuthType() != null) {
return true;
}
for (String role : roleInfo.getRoles()) {
if (userIdentity.isUserInRole(role, null)) {
return true;
}
}
return false;
}
@Override
protected boolean isAuthMandatory(Request baseRequest, Response base_response, Object constraintInfo) {
// identical with ConstraintSecurityHandler.isAuthMandatory implementation of Jetty source distribution
return constraintInfo != null && ((RoleInfo) constraintInfo).isChecked();
}
/**
* create the constraint for the given path
* for urls containing *_p. (like info_p.html) admin access is required,
@ -211,12 +94,8 @@ public class Jetty8YaCySecurityHandler extends ConstraintSecurityHandler {
roleinfo.setChecked(true); // RoleInfo.setChecked() : in Jetty this means - marked to have any security constraint
roleinfo.addRole(AccessRight.ADMIN_RIGHT.toString()); // use AccessRights as role
return roleinfo;
} // can omit else, as if grantedForLocalhost==true no constraint applies
// TODO: is this correct or adminAccountBase64MD5 not empty check neccessary ?
}
}
// DefaultServlet is not path security aware (at this time makes not sense to call super, yet -> would work on other servlets)
// return (RoleInfo)super.prepareConstraintInfo(pathInContext, request);
return null;
return (RoleInfo)super.prepareConstraintInfo(pathInContext, request);
}
}

31
source/net/yacy/http/YaCyLoginService.java
Unescape View File

@ -53,7 +53,6 @@ public class YaCyLoginService extends MappedLoginService implements LoginService
@Override
protected UserIdentity loadUser(String username) {
// TODO: implement legacy credentials
final Switchboard sb = Switchboard.getSwitchboard();
String adminuser = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");
if (username.equals(adminuser)) {
@ -75,19 +74,23 @@ public class YaCyLoginService extends MappedLoginService implements LoginService
}
Entry user = sb.userDB.getEntry(username);
if (user != null) {
if (user.hasRight(AccessRight.ADMIN_RIGHT)) {
String[] role = new String[]{AccessRight.ADMIN_RIGHT.toString()};
Credential credential = YaCyLegacyCredential.getCredentials(username, user.getMD5EncodedUserPwd());
Principal userPrincipal = new MappedLoginService.KnownUser(username, credential);
Subject subject = new Subject();
subject.getPrincipals().add(userPrincipal);
subject.getPrivateCredentials().add(credential);
subject.setReadOnly();
IdentityService is = getIdentityService();
return is.newUserIdentity(subject, userPrincipal, role);
}
// assigning roles from userDB
String[] role = new String[AccessRight.values().length];
int i = 0;
for (final AccessRight right : AccessRight.values()) {
if (user.hasRight(right)) {
role[i] = right.toString();
i++;
}
}
Credential credential = YaCyLegacyCredential.getCredentials(username, user.getMD5EncodedUserPwd());
Principal userPrincipal = new MappedLoginService.KnownUser(username, credential);
Subject subject = new Subject();
subject.getPrincipals().add(userPrincipal);
subject.getPrivateCredentials().add(credential);
subject.setReadOnly();
IdentityService is = getIdentityService();
return is.newUserIdentity(subject, userPrincipal, role);
}
return null;
}

Write Preview
Loading…
Cancel
Save