make SecurityHandler webappcontext ready

11 years ago · f09dbbef96
parent 37f2a82a5d
commit f09dbbef96
3 changed files with 38 additions and 6 deletions
--- a/defaults/web.xml
+++ b/defaults/web.xml
@ -66,4 +66,20 @@
        <welcome-file>Welcome.html</welcome-file>
    </welcome-file-list>

+    <!-- security configuration -->
+    <!-- authentication method and default roles are preconfigured by the application (provided only for completness) -->    
+    <!--
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>YaCy Admin Interface</realm-name>
+    </login-config>
+    -->
+    
+    <!-- Roles -->
+    <!--
+    <security-role>
+        <role-name>adminRight</role-name>
+        <description>Administrator</description>
+    </security-role>
+    -->
 </web-app>
--- a/source/net/yacy/http/Jetty8HttpServerImpl.java
+++ b/source/net/yacy/http/Jetty8HttpServerImpl.java
@ -165,8 +165,10 @@ public class Jetty8HttpServerImpl implements YaCyHttpServer {
        LoginService loginService = new YaCyLoginService();
        securityHandler.setLoginService(loginService);
        securityHandler.setRealmName(loginService.getName());
-        securityHandler.setHandler(new CrashProtectionHandler(allrequesthandlers));

+        htrootContext.setSecurityHandler(securityHandler);
+        
+        Handler crashHandler = new CrashProtectionHandler(allrequesthandlers);
        // check server access restriction and add IPAccessHandler if restrictions are needed
        // otherwise don't (to save performance)
        String white = sb.getConfig("serverClient", "*");
@ -181,14 +183,14 @@ public class Jetty8HttpServerImpl implements YaCyHttpServer {
            }          
            if (i > 0) {
                iphandler.addWhite("127.0.0.1"); // allow localhost (loopback addr)
-                iphandler.setHandler(securityHandler); 
+                iphandler.setHandler(crashHandler);
                server.setHandler(iphandler);
                ConcurrentLog.info("SERVER","activated IP access restriction to: [127.0.0.1," + white +"] (this works only correct with start parameter -Djava.net.preferIPv4Stack=true)");
            } else {
-                server.setHandler(securityHandler); // iphandler not needed
+                server.setHandler(crashHandler); // iphandler not needed
            }
        } else {
-            server.setHandler(securityHandler); // iphandler not needed
+            server.setHandler(crashHandler); // iphandler not needed
        }        
    }

--- a/source/net/yacy/http/Jetty8YaCySecurityHandler.java
+++ b/source/net/yacy/http/Jetty8YaCySecurityHandler.java
@ -26,6 +26,10 @@ package net.yacy.http;

 import java.io.IOException;
 import java.net.MalformedURLException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.TreeSet;

 import javax.servlet.http.HttpServletResponse;

@ -37,8 +41,8 @@ import net.yacy.search.SwitchboardConstants;
 import net.yacy.server.serverAccessTracker;

 import org.eclipse.jetty.http.HttpSchemes;
+import org.eclipse.jetty.security.ConstraintSecurityHandler;
 import org.eclipse.jetty.security.RoleInfo;
-import org.eclipse.jetty.security.SecurityHandler;
 import org.eclipse.jetty.security.UserDataConstraint;
 import org.eclipse.jetty.server.AbstractHttpConnection;
 import org.eclipse.jetty.server.Connector;
@ -51,7 +55,15 @@ import org.eclipse.jetty.server.UserIdentity;
 * demands authentication for pages with _p. inside
 * and updates AccessTracker
 */
-public class Jetty8YaCySecurityHandler extends SecurityHandler {
+public class Jetty8YaCySecurityHandler extends ConstraintSecurityHandler {
+   
+    public Jetty8YaCySecurityHandler() {
+        super();
+
+        for (AccessRight right : AccessRight.values()) {
+            addRole(right.toString()); // add default YaCy roles
+        }
+    }

    @Override
    protected boolean checkUserDataPermissions(String pathInContext, Request request, Response response, Object constraintInfo) throws IOException   
@ -202,6 +214,8 @@ public class Jetty8YaCySecurityHandler extends SecurityHandler {
            } // can omit else, as if grantedForLocalhost==true no constraint applies
              // TODO: is this correct or adminAccountBase64MD5 not empty check neccessary ?
        }
+        // DefaultServlet is not path security aware (at this time makes not sense to call super, yet -> would work on other servlets)
+        // return (RoleInfo)super.prepareConstraintInfo(pathInContext, request);
        return null;
    }