implementing YaCy legacy role names

- taking out customized SecurityHandler code as the original/default seems to just work fine - with this individual sec. constraints can be applied via web.xml (using legacy role names)
11 years ago · cb6d0c2113
parent 530b9f6de8
commit cb6d0c2113
2 changed files with 19 additions and 137 deletions
--- a/source/net/yacy/http/Jetty8YaCySecurityHandler.java
+++ b/source/net/yacy/http/Jetty8YaCySecurityHandler.java
@ -24,14 +24,7 @@
 package net.yacy.http;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
 import java.util.TreeSet;
 import javax.servlet.http.HttpServletResponse;
 import net.yacy.cora.document.id.MultiProtocolURL;
 import net.yacy.cora.protocol.Domains;
@ -40,15 +33,9 @@ import net.yacy.search.Switchboard;
 import net.yacy.search.SwitchboardConstants;
 import net.yacy.server.serverAccessTracker;
 import org.eclipse.jetty.http.HttpSchemes;
 import org.eclipse.jetty.security.ConstraintSecurityHandler;
 import org.eclipse.jetty.security.RoleInfo;
 import org.eclipse.jetty.security.UserDataConstraint;
 import org.eclipse.jetty.server.AbstractHttpConnection;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Response;
 import org.eclipse.jetty.server.UserIdentity;
 /**
 * jetty security handler
@ -65,110 +52,6 @@ public class Jetty8YaCySecurityHandler extends ConstraintSecurityHandler {
        }
    }
    @Override
    protected boolean checkUserDataPermissions(String pathInContext, Request request, Response response, Object constraintInfo) throws IOException   
     // check the SecurityHandler code, denying here does not provide authentication
     // - identical with ConstraintSecurityHandler.checkUserDataPermissions implementation of Jetty source distribution
    { 
        if (constraintInfo == null)
            return true;
        RoleInfo roleInfo = (RoleInfo)constraintInfo;
        if (roleInfo.isForbidden())
            return false;
        UserDataConstraint dataConstraint = roleInfo.getUserDataConstraint();
        if (dataConstraint == null || dataConstraint == UserDataConstraint.None)
        {
            return true;
        }
        AbstractHttpConnection connection = AbstractHttpConnection.getCurrentConnection();
        Connector connector = connection.getConnector();
        if (dataConstraint == UserDataConstraint.Integral)
        {
            if (connector.isIntegral(request))
                return true;
            if (connector.getIntegralPort() > 0)
            {
                String scheme=connector.getIntegralScheme();
                int port=connector.getIntegralPort();
                String url = (HttpSchemes.HTTPS.equalsIgnoreCase(scheme) && port==443)
                    ? "https://"+request.getServerName()+request.getRequestURI()
                    : scheme + "://" + request.getServerName() + ":" + port + request.getRequestURI();
                if (request.getQueryString() != null)
                    url += "?" + request.getQueryString();
                response.setContentLength(0);
                response.sendRedirect(url);
            }
            else
                response.sendError(HttpServletResponse.SC_FORBIDDEN,"!Integral");
            request.setHandled(true);
            return false;
        }
        else if (dataConstraint == UserDataConstraint.Confidential)
        {
            if (connector.isConfidential(request))
                return true;
            if (connector.getConfidentialPort() > 0)
            {
                String scheme=connector.getConfidentialScheme();
                int port=connector.getConfidentialPort();
                String url = (HttpSchemes.HTTPS.equalsIgnoreCase(scheme) && port==443)
                    ? "https://"+request.getServerName()+request.getRequestURI()
                    : scheme + "://" + request.getServerName() + ":" + port + request.getRequestURI();                    
                if (request.getQueryString() != null)
                    url += "?" + request.getQueryString();
                response.setContentLength(0);
                response.sendRedirect(url);
            }
            else
                response.sendError(HttpServletResponse.SC_FORBIDDEN,"!Confidential");
            request.setHandled(true);
            return false;
        }
        else
        {
            throw new IllegalArgumentException("Invalid dataConstraint value: " + dataConstraint);
        }
    }        
    @Override
    protected boolean checkWebResourcePermissions(String pathInContext, Request request,
            Response response, Object constraintInfo, UserIdentity userIdentity) throws IOException {
        // deny and request for authentication, if necessary
        // - identical with ConstraintSecurityHandler.checkWebResourcePermissions implementation of Jetty source distribution    
        if (constraintInfo == null) {
            return true;
        }
        RoleInfo roleInfo = (RoleInfo) constraintInfo;
        if (!roleInfo.isChecked()) {
            return true;
        }
        if (roleInfo.isAnyRole() && request.getAuthType() != null) {
            return true;
        }
        for (String role : roleInfo.getRoles()) {
            if (userIdentity.isUserInRole(role, null)) {
                return true;
            }
        }
        return false;
    }
    @Override
    protected boolean isAuthMandatory(Request baseRequest, Response base_response, Object constraintInfo) {
        // identical with ConstraintSecurityHandler.isAuthMandatory implementation of Jetty source distribution
        return constraintInfo != null && ((RoleInfo) constraintInfo).isChecked();
    }
     /**
     * create the constraint for the given path
     * for urls containing *_p. (like info_p.html) admin access is required,
@ -211,12 +94,8 @@ public class Jetty8YaCySecurityHandler extends ConstraintSecurityHandler {
                roleinfo.setChecked(true); // RoleInfo.setChecked() : in Jetty this means - marked to have any security constraint
                roleinfo.addRole(AccessRight.ADMIN_RIGHT.toString()); // use AccessRights as role
                return roleinfo;
-            } // can omit else, as if grantedForLocalhost==true no constraint applies
+            } 
              // TODO: is this correct or adminAccountBase64MD5 not empty check neccessary ?
        }
-        // DefaultServlet is not path security aware (at this time makes not sense to call super, yet -> would work on other servlets)
+        return (RoleInfo)super.prepareConstraintInfo(pathInContext, request);
        // return (RoleInfo)super.prepareConstraintInfo(pathInContext, request);
        return null;
    }
 }
--- a/source/net/yacy/http/YaCyLoginService.java
+++ b/source/net/yacy/http/YaCyLoginService.java
@ -53,7 +53,6 @@ public class YaCyLoginService extends MappedLoginService implements LoginService
    @Override
    protected UserIdentity loadUser(String username) {    
        // TODO: implement legacy credentials
        final Switchboard sb = Switchboard.getSwitchboard();
        String adminuser = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");
        if (username.equals(adminuser)) {
@ -75,19 +74,23 @@ public class YaCyLoginService extends MappedLoginService implements LoginService
        }
        Entry user = sb.userDB.getEntry(username);
        if (user != null) {
-            if (user.hasRight(AccessRight.ADMIN_RIGHT)) {
+            // assigning roles from userDB
-                String[] role = new String[]{AccessRight.ADMIN_RIGHT.toString()};
+            String[] role = new String[AccessRight.values().length];
-
+            int i = 0;
-                Credential credential = YaCyLegacyCredential.getCredentials(username, user.getMD5EncodedUserPwd());
+            for (final AccessRight right : AccessRight.values()) {
-                Principal userPrincipal = new MappedLoginService.KnownUser(username, credential);
+                if (user.hasRight(right)) {
-                Subject subject = new Subject();
+                    role[i] = right.toString();
-                subject.getPrincipals().add(userPrincipal);
+                    i++;
-                subject.getPrivateCredentials().add(credential);
+                }
                subject.setReadOnly();
                IdentityService is = getIdentityService();
                return is.newUserIdentity(subject, userPrincipal, role);
            }
            Credential credential = YaCyLegacyCredential.getCredentials(username, user.getMD5EncodedUserPwd());
            Principal userPrincipal = new MappedLoginService.KnownUser(username, credential);
            Subject subject = new Subject();
            subject.getPrincipals().add(userPrincipal);
            subject.getPrivateCredentials().add(credential);
            subject.setReadOnly();
            IdentityService is = getIdentityService();
            return is.newUserIdentity(subject, userPrincipal, role);
        }
        return null;
    }