move Digest auth checks from DefaultServlet to adminAuthenticated,

eliminating the need to modify http header on Servlet container handled Digest authentication, to simulate Basic auth for YaCy servlets.
8 years ago · f7e9f9be5f
parent 0b4e7795df
commit f7e9f9be5f
2 changed files with 19 additions and 30 deletions
--- a/source/net/yacy/http/servlets/YaCyDefaultServlet.java
+++ b/source/net/yacy/http/servlets/YaCyDefaultServlet.java
@ -69,8 +69,6 @@ import net.yacy.cora.protocol.RequestHeader;
 import net.yacy.cora.util.ByteBuffer;
 import net.yacy.cora.util.ConcurrentLog;
 import net.yacy.data.InvalidURLLicenceException;
-import net.yacy.data.UserDB.AccessRight;
-import net.yacy.data.UserDB.Entry;
 import net.yacy.kelondro.util.FileUtils;
 import net.yacy.kelondro.util.MemoryControl;
 import net.yacy.kelondro.util.NamePrefixThreadFactory;
@ -738,31 +736,6 @@ public class YaCyDefaultServlet extends HttpServlet  {

        legacyRequestHeader.put(HeaderFramework.CONNECTION_PROP_PATH, target); // target may contain a server side include (SSI)
        legacyRequestHeader.put(HeaderFramework.CONNECTION_PROP_EXT, targetExt);
-        Switchboard sb = Switchboard.getSwitchboard();
-        if (legacyRequestHeader.containsKey(RequestHeader.AUTHORIZATION)) {
-            if (HttpServletRequest.BASIC_AUTH.equalsIgnoreCase(request.getAuthType())) {
-            } else {
-                // handle DIGEST auth for legacyHeader (create username:md5pwdhash
-                if (request.getUserPrincipal() != null) {
-                    String userpassEncoded = request.getHeader(RequestHeader.AUTHORIZATION); // e.g. "Basic AdminMD5hash"
-                    if (userpassEncoded != null) {
-                        if (request.isUserInRole(AccessRight.ADMIN_RIGHT.toString()) && !sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5,"").isEmpty()) {
-                            // fake admin authentication for legacyRequestHeader (as e.g. DIGEST is not supported by legacyRequestHeader)
-                            legacyRequestHeader.put(RequestHeader.AUTHORIZATION, HttpServletRequest.BASIC_AUTH + " "
-                                    + sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, ""));
-                        } else {
-                            // fake Basic auth header for Digest auth  (Basic username:md5pwdhash)
-                            String username = request.getRemoteUser();
-                            Entry user = sb.userDB.getEntry(username);
-                            if (user != null) {
-                                legacyRequestHeader.put(RequestHeader.AUTHORIZATION, HttpServletRequest.BASIC_AUTH + " "
-                                        + username + ":" + user.getMD5EncodedUserPwd());
-                            }
-                        }
-                    }
-                }
-            }
-        }
        return legacyRequestHeader;
    }

--- a/source/net/yacy/search/Switchboard.java
+++ b/source/net/yacy/search/Switchboard.java
@ -82,6 +82,7 @@ import java.util.zip.GZIPInputStream;
 import java.util.zip.GZIPOutputStream;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
+import javax.servlet.http.HttpServletRequest;

 import org.apache.solr.common.SolrDocument;
 import org.apache.solr.common.SolrInputDocument;
@ -143,6 +144,7 @@ import net.yacy.data.BookmarksDB;
 import net.yacy.data.ListManager;
 import net.yacy.data.MessageBoard;
 import net.yacy.data.UserDB;
+import net.yacy.data.UserDB.AccessRight;
 import net.yacy.data.WorkTables;
 import net.yacy.data.wiki.WikiBoard;
 import net.yacy.data.wiki.WikiCode;
@ -3530,9 +3532,23 @@ public final class Switchboard extends serverSwitch {
            return 1;
        }

-        // security check against too long authorization strings
-        if ( realmValue.length() > 256 ) {
-            return 0;
+        if (HttpServletRequest.BASIC_AUTH.equalsIgnoreCase(requestHeader.getAuthType())) {
+            // security check against too long authorization strings (for BASIC auth)
+            if (realmValue.length() > 256) {
+                return 0;
+            }
+        } else {
+            // handle DIGEST auth by servlet container
+            if (requestHeader.getUserPrincipal() != null) { // user is authenticated (by Servlet container)
+                if (requestHeader.isUserInRole(AccessRight.ADMIN_RIGHT.toString())) {
+                    // we could double check admin right (but we trust embedded container)
+                    // String username = requestHeader.getUserPrincipal().getName();
+                    // if ((username.equalsIgnoreCase(sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin")))
+                    //        || (sb.userDB.getEntry(username).hasRight(AccessRight.ADMIN_RIGHT)))
+                    adminAuthenticationLastAccess = System.currentTimeMillis();
+                    return 4; // has admin right
+                }
+            }
        }

        // authorization by encoded password, only for localhost access