@ -24,14 +24,7 @@
package net.yacy.http ;
import java.io.IOException ;
import java.net.MalformedURLException ;
import java.util.ArrayList ;
import java.util.List ;
import java.util.Set ;
import java.util.TreeSet ;
import javax.servlet.http.HttpServletResponse ;
import net.yacy.cora.document.id.MultiProtocolURL ;
import net.yacy.cora.protocol.Domains ;
@ -40,15 +33,9 @@ import net.yacy.search.Switchboard;
import net.yacy.search.SwitchboardConstants ;
import net.yacy.server.serverAccessTracker ;
import org.eclipse.jetty.http.HttpSchemes ;
import org.eclipse.jetty.security.ConstraintSecurityHandler ;
import org.eclipse.jetty.security.RoleInfo ;
import org.eclipse.jetty.security.UserDataConstraint ;
import org.eclipse.jetty.server.AbstractHttpConnection ;
import org.eclipse.jetty.server.Connector ;
import org.eclipse.jetty.server.Request ;
import org.eclipse.jetty.server.Response ;
import org.eclipse.jetty.server.UserIdentity ;
/ * *
* jetty security handler
@ -65,110 +52,6 @@ public class Jetty8YaCySecurityHandler extends ConstraintSecurityHandler {
}
}
@Override
protected boolean checkUserDataPermissions ( String pathInContext , Request request , Response response , Object constraintInfo ) throws IOException
// check the SecurityHandler code, denying here does not provide authentication
// - identical with ConstraintSecurityHandler.checkUserDataPermissions implementation of Jetty source distribution
{
if ( constraintInfo = = null )
return true ;
RoleInfo roleInfo = ( RoleInfo ) constraintInfo ;
if ( roleInfo . isForbidden ( ) )
return false ;
UserDataConstraint dataConstraint = roleInfo . getUserDataConstraint ( ) ;
if ( dataConstraint = = null | | dataConstraint = = UserDataConstraint . None )
{
return true ;
}
AbstractHttpConnection connection = AbstractHttpConnection . getCurrentConnection ( ) ;
Connector connector = connection . getConnector ( ) ;
if ( dataConstraint = = UserDataConstraint . Integral )
{
if ( connector . isIntegral ( request ) )
return true ;
if ( connector . getIntegralPort ( ) > 0 )
{
String scheme = connector . getIntegralScheme ( ) ;
int port = connector . getIntegralPort ( ) ;
String url = ( HttpSchemes . HTTPS . equalsIgnoreCase ( scheme ) & & port = = 443 )
? "https://" + request . getServerName ( ) + request . getRequestURI ( )
: scheme + "://" + request . getServerName ( ) + ":" + port + request . getRequestURI ( ) ;
if ( request . getQueryString ( ) ! = null )
url + = "?" + request . getQueryString ( ) ;
response . setContentLength ( 0 ) ;
response . sendRedirect ( url ) ;
}
else
response . sendError ( HttpServletResponse . SC_FORBIDDEN , "!Integral" ) ;
request . setHandled ( true ) ;
return false ;
}
else if ( dataConstraint = = UserDataConstraint . Confidential )
{
if ( connector . isConfidential ( request ) )
return true ;
if ( connector . getConfidentialPort ( ) > 0 )
{
String scheme = connector . getConfidentialScheme ( ) ;
int port = connector . getConfidentialPort ( ) ;
String url = ( HttpSchemes . HTTPS . equalsIgnoreCase ( scheme ) & & port = = 443 )
? "https://" + request . getServerName ( ) + request . getRequestURI ( )
: scheme + "://" + request . getServerName ( ) + ":" + port + request . getRequestURI ( ) ;
if ( request . getQueryString ( ) ! = null )
url + = "?" + request . getQueryString ( ) ;
response . setContentLength ( 0 ) ;
response . sendRedirect ( url ) ;
}
else
response . sendError ( HttpServletResponse . SC_FORBIDDEN , "!Confidential" ) ;
request . setHandled ( true ) ;
return false ;
}
else
{
throw new IllegalArgumentException ( "Invalid dataConstraint value: " + dataConstraint ) ;
}
}
@Override
protected boolean checkWebResourcePermissions ( String pathInContext , Request request ,
Response response , Object constraintInfo , UserIdentity userIdentity ) throws IOException {
// deny and request for authentication, if necessary
// - identical with ConstraintSecurityHandler.checkWebResourcePermissions implementation of Jetty source distribution
if ( constraintInfo = = null ) {
return true ;
}
RoleInfo roleInfo = ( RoleInfo ) constraintInfo ;
if ( ! roleInfo . isChecked ( ) ) {
return true ;
}
if ( roleInfo . isAnyRole ( ) & & request . getAuthType ( ) ! = null ) {
return true ;
}
for ( String role : roleInfo . getRoles ( ) ) {
if ( userIdentity . isUserInRole ( role , null ) ) {
return true ;
}
}
return false ;
}
@Override
protected boolean isAuthMandatory ( Request baseRequest , Response base_response , Object constraintInfo ) {
// identical with ConstraintSecurityHandler.isAuthMandatory implementation of Jetty source distribution
return constraintInfo ! = null & & ( ( RoleInfo ) constraintInfo ) . isChecked ( ) ;
}
/ * *
* create the constraint for the given path
* for urls containing * _p . ( like info_p . html ) admin access is required ,
@ -211,12 +94,8 @@ public class Jetty8YaCySecurityHandler extends ConstraintSecurityHandler {
roleinfo . setChecked ( true ) ; // RoleInfo.setChecked() : in Jetty this means - marked to have any security constraint
roleinfo . addRole ( AccessRight . ADMIN_RIGHT . toString ( ) ) ; // use AccessRights as role
return roleinfo ;
} // can omit else, as if grantedForLocalhost==true no constraint applies
// TODO: is this correct or adminAccountBase64MD5 not empty check neccessary ?
}
// DefaultServlet is not path security aware (at this time makes not sense to call super, yet -> would work on other servlets)
// return (RoleInfo)super.prepareConstraintInfo(pathInContext, request);
return null ;
}
return ( RoleInfo ) super . prepareConstraintInfo ( pathInContext , request ) ;
}
}
reger
11 years ago