yacy_search_server/source/net/yacy/http/YaCyLoginService.java

//
//  YaCyLoginService
//  Copyright 2011 by Florian Richter
//  First released 16.04.2011 at http://yacy.net
//  
//  $LastChangedDate$
//  $LastChangedRevision$
//  $LastChangedBy$
//
//  This library is free software; you can redistribute it and/or
//  modify it under the terms of the GNU Lesser General Public
//  License as published by the Free Software Foundation; either
//  version 2.1 of the License, or (at your option) any later version.
//  
//  This library is distributed in the hope that it will be useful,
//  but WITHOUT ANY WARRANTY; without even the implied warranty of
//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
//  Lesser General Public License for more details.
//  
//  You should have received a copy of the GNU Lesser General Public License
//  along with this program in the file lgpl21.txt
//  If not, see <http://www.gnu.org/licenses/>.
//

package net.yacy.http;

import java.io.IOException;
import java.util.ArrayList;
import net.yacy.data.UserDB.AccessRight;
import net.yacy.data.UserDB.Entry;
import net.yacy.search.Switchboard;
import net.yacy.search.SwitchboardConstants;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.MappedLoginService;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.security.Credential;

/**
 * jetty login service, provides admin and YaCy.UserDB users with role assignment
 * with DIGEST auth by default Jetty uses the name of the loginSevice as realmname (which is part of all password hashes)
 */
public class YaCyLoginService extends MappedLoginService implements LoginService {

    @Override
    protected UserIdentity loadUser(String username) {    
        if (username == null || username.isEmpty()) return null; // quick exit

        final Switchboard sb = Switchboard.getSwitchboard();
        String adminuser = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");
        Credential credential = null;
        String[] roles = null;
        if (username.equals(adminuser)) {
            final String adminAccountBase64MD5 = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
            // in YaCy the credential hash is composed of username:pwd so the username is needed to create valid credential
            // not just the password (as usually in Jetty). As the accountname for the std. adminuser is not stored a useridentity
            // is created for current user (and the pwd checked against the stored  username:pwd setting)
            credential = YaCyLegacyCredential.getCredentialForAdmin(username, adminAccountBase64MD5);
            // TODO: YaCy user:pwd hashes should longterm likely be switched to separable username + pwd-hash entries
            //       and/or the standard admin account username shuld be fix = "admin"
            roles = new String[]{AccessRight.ADMIN_RIGHT.toString()};
        } else {
            Entry user = sb.userDB.getEntry(username);
            if (user != null && user.getMD5EncodedUserPwd() != null) {
                // assigning roles from userDB
                ArrayList<String> roletmp = new ArrayList<String>();
                for (final AccessRight right : AccessRight.values()) {
                    if (user.hasRight(right)) {
                        roletmp.add(right.toString());
                    }
                }
                if (roletmp.size() > 0) roles = roletmp.toArray(new String[roletmp.size()]);
                credential = YaCyLegacyCredential.getCredentialForUserDB(username, user.getMD5EncodedUserPwd());
            }
        }

        if (credential != null) {
            if (roles != null) {
                return putUser(username, credential, roles);
            } else {
                return putUser(username, credential); // w/o role makes not much sense, but succeeds login....
            }
        }
        return null;
    }

    @Override
    protected void loadUsers() throws IOException {
	// don't load any users into MappedLoginService on startup
        // we use loadUser for dynamic checking
    }

}
* authentication implemented with own securityhandler 2011-03-16 17:39:31 +01:00			`//`
			`// YaCyLoginService`
			`// Copyright 2011 by Florian Richter`
			`// First released 16.04.2011 at http://yacy.net`
			`//`
			`// $LastChangedDate$`
			`// $LastChangedRevision$`
			`// $LastChangedBy$`
			`//`
			`// This library is free software; you can redistribute it and/or`
			`// modify it under the terms of the GNU Lesser General Public`
			`// License as published by the Free Software Foundation; either`
			`// version 2.1 of the License, or (at your option) any later version.`
			`//`
			`// This library is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`// Lesser General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Lesser General Public License`
			`// along with this program in the file lgpl21.txt`
			`// If not, see <http://www.gnu.org/licenses/>.`
			`//`

* add copyright info * implement basic authentication * update jetty to 7.3.0 2011-03-15 00:33:36 +01:00			`package net.yacy.http;`

			`import java.io.IOException;`
implemented DIGEST authentication, which is for remote login more secure as BASIC were pwd is transmitted near clear text (B64enc). This has some implication as RFC 2617 requires and recommends a password hash MD5(user:realm:pwd) for DIGEST. !!! before activating DIGEST you have to reassign all passwords !!! to allow new calculation of the hash - default authentication is still BASIC - configuration at this time only manually in (DATA/settings) or defaults/web.xml (<auth-method> - the realmname is in defaults/yacy.init adminRealm=YaCy-AdminUI - fyi: the realmname is shown on login screen - changing the realm name invalidates all passwords - but for security you are encouraged to do so (as localhostadmin) - implemented to support both, old hashes for BASIC and new hashes for BASIC and DIGEST - to differentiate old / new hash the in Jetty used hash-prefix "MD5:" is used for new pwd-hashes ( "MD5:hash" ) 2014-01-17 00:02:23 +01:00			`import java.util.ArrayList;`
tweak Jetty credentials to work with YaCy UserDB - user entry in UserDB with admin right can login to access protected pages - dto. admin user, choosen username is stored in conf (adminAccountUserName=) 2013-12-27 06:45:22 +01:00			`import net.yacy.data.UserDB.AccessRight;`
			`import net.yacy.data.UserDB.Entry;`
Merge branch 'master' of ssh://gitorious.org/yacy/rc1 into jetty Conflicts: .classpath build.xml htroot/Status.java source/de/anomic/http/server/HTTPDProxyHandler.java source/net/yacy/yacy.java 2012-06-29 21:16:20 +02:00			`import net.yacy.search.Switchboard;`
nasty quick fix for admin login with other username as admin - userDB is not sync'ed with Jetty credentials as of now only the std. admin account can login switched initial browser open with ssl active back to std. http port 2013-12-27 02:59:19 +01:00			`import net.yacy.search.SwitchboardConstants;`
set a realm message to log-in input window which explains that a password for the account 'admin' can be (re-)set with the script bin/passwd.sh 2014-01-05 17:43:34 +01:00			`import org.eclipse.jetty.security.LoginService;`
* add copyright info * implement basic authentication * update jetty to 7.3.0 2011-03-15 00:33:36 +01:00			`import org.eclipse.jetty.security.MappedLoginService;`
			`import org.eclipse.jetty.server.UserIdentity;`
update to Jetty 9 jars - include javax.servlet 3.0 2013-09-14 20:49:05 +02:00			`import org.eclipse.jetty.util.security.Credential;`
* add copyright info * implement basic authentication * update jetty to 7.3.0 2011-03-15 00:33:36 +01:00
* authentication implemented with own securityhandler 2011-03-16 17:39:31 +01:00			`/**`
implemented DIGEST authentication, which is for remote login more secure as BASIC were pwd is transmitted near clear text (B64enc). This has some implication as RFC 2617 requires and recommends a password hash MD5(user:realm:pwd) for DIGEST. !!! before activating DIGEST you have to reassign all passwords !!! to allow new calculation of the hash - default authentication is still BASIC - configuration at this time only manually in (DATA/settings) or defaults/web.xml (<auth-method> - the realmname is in defaults/yacy.init adminRealm=YaCy-AdminUI - fyi: the realmname is shown on login screen - changing the realm name invalidates all passwords - but for security you are encouraged to do so (as localhostadmin) - implemented to support both, old hashes for BASIC and new hashes for BASIC and DIGEST - to differentiate old / new hash the in Jetty used hash-prefix "MD5:" is used for new pwd-hashes ( "MD5:hash" ) 2014-01-17 00:02:23 +01:00			`* jetty login service, provides admin and YaCy.UserDB users with role assignment`
			`* with DIGEST auth by default Jetty uses the name of the loginSevice as realmname (which is part of all password hashes)`
* authentication implemented with own securityhandler 2011-03-16 17:39:31 +01:00			`*/`
set a realm message to log-in input window which explains that a password for the account 'admin' can be (re-)set with the script bin/passwd.sh 2014-01-05 17:43:34 +01:00			`public class YaCyLoginService extends MappedLoginService implements LoginService {`
* add copyright info * implement basic authentication * update jetty to 7.3.0 2011-03-15 00:33:36 +01:00
set a realm message to log-in input window which explains that a password for the account 'admin' can be (re-)set with the script bin/passwd.sh 2014-01-05 17:43:34 +01:00			`@Override`
			`protected UserIdentity loadUser(String username) {`
implemented DIGEST authentication, which is for remote login more secure as BASIC were pwd is transmitted near clear text (B64enc). This has some implication as RFC 2617 requires and recommends a password hash MD5(user:realm:pwd) for DIGEST. !!! before activating DIGEST you have to reassign all passwords !!! to allow new calculation of the hash - default authentication is still BASIC - configuration at this time only manually in (DATA/settings) or defaults/web.xml (<auth-method> - the realmname is in defaults/yacy.init adminRealm=YaCy-AdminUI - fyi: the realmname is shown on login screen - changing the realm name invalidates all passwords - but for security you are encouraged to do so (as localhostadmin) - implemented to support both, old hashes for BASIC and new hashes for BASIC and DIGEST - to differentiate old / new hash the in Jetty used hash-prefix "MD5:" is used for new pwd-hashes ( "MD5:hash" ) 2014-01-17 00:02:23 +01:00			`if (username == null \|\| username.isEmpty()) return null; // quick exit`

tweak Jetty credentials to work with YaCy UserDB - user entry in UserDB with admin right can login to access protected pages - dto. admin user, choosen username is stored in conf (adminAccountUserName=) 2013-12-27 06:45:22 +01:00			`final Switchboard sb = Switchboard.getSwitchboard();`
refactoring (usage of constant names for attributes of authentication check) 2014-01-05 04:23:44 +01:00			`String adminuser = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");`
implemented DIGEST authentication, which is for remote login more secure as BASIC were pwd is transmitted near clear text (B64enc). This has some implication as RFC 2617 requires and recommends a password hash MD5(user:realm:pwd) for DIGEST. !!! before activating DIGEST you have to reassign all passwords !!! to allow new calculation of the hash - default authentication is still BASIC - configuration at this time only manually in (DATA/settings) or defaults/web.xml (<auth-method> - the realmname is in defaults/yacy.init adminRealm=YaCy-AdminUI - fyi: the realmname is shown on login screen - changing the realm name invalidates all passwords - but for security you are encouraged to do so (as localhostadmin) - implemented to support both, old hashes for BASIC and new hashes for BASIC and DIGEST - to differentiate old / new hash the in Jetty used hash-prefix "MD5:" is used for new pwd-hashes ( "MD5:hash" ) 2014-01-17 00:02:23 +01:00			`Credential credential = null;`
			`String[] roles = null;`
tweak Jetty credentials to work with YaCy UserDB - user entry in UserDB with admin right can login to access protected pages - dto. admin user, choosen username is stored in conf (adminAccountUserName=) 2013-12-27 06:45:22 +01:00			`if (username.equals(adminuser)) {`
			`final String adminAccountBase64MD5 = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");`
implemented DIGEST authentication, which is for remote login more secure as BASIC were pwd is transmitted near clear text (B64enc). This has some implication as RFC 2617 requires and recommends a password hash MD5(user:realm:pwd) for DIGEST. !!! before activating DIGEST you have to reassign all passwords !!! to allow new calculation of the hash - default authentication is still BASIC - configuration at this time only manually in (DATA/settings) or defaults/web.xml (<auth-method> - the realmname is in defaults/yacy.init adminRealm=YaCy-AdminUI - fyi: the realmname is shown on login screen - changing the realm name invalidates all passwords - but for security you are encouraged to do so (as localhostadmin) - implemented to support both, old hashes for BASIC and new hashes for BASIC and DIGEST - to differentiate old / new hash the in Jetty used hash-prefix "MD5:" is used for new pwd-hashes ( "MD5:hash" ) 2014-01-17 00:02:23 +01:00			`// in YaCy the credential hash is composed of username:pwd so the username is needed to create valid credential`
			`// not just the password (as usually in Jetty). As the accountname for the std. adminuser is not stored a useridentity`
			`// is created for current user (and the pwd checked against the stored username:pwd setting)`
			`credential = YaCyLegacyCredential.getCredentialForAdmin(username, adminAccountBase64MD5);`
tweak Jetty credentials to work with YaCy UserDB - user entry in UserDB with admin right can login to access protected pages - dto. admin user, choosen username is stored in conf (adminAccountUserName=) 2013-12-27 06:45:22 +01:00			`// TODO: YaCy user:pwd hashes should longterm likely be switched to separable username + pwd-hash entries`
			`// and/or the standard admin account username shuld be fix = "admin"`
implemented DIGEST authentication, which is for remote login more secure as BASIC were pwd is transmitted near clear text (B64enc). This has some implication as RFC 2617 requires and recommends a password hash MD5(user:realm:pwd) for DIGEST. !!! before activating DIGEST you have to reassign all passwords !!! to allow new calculation of the hash - default authentication is still BASIC - configuration at this time only manually in (DATA/settings) or defaults/web.xml (<auth-method> - the realmname is in defaults/yacy.init adminRealm=YaCy-AdminUI - fyi: the realmname is shown on login screen - changing the realm name invalidates all passwords - but for security you are encouraged to do so (as localhostadmin) - implemented to support both, old hashes for BASIC and new hashes for BASIC and DIGEST - to differentiate old / new hash the in Jetty used hash-prefix "MD5:" is used for new pwd-hashes ( "MD5:hash" ) 2014-01-17 00:02:23 +01:00			`roles = new String[]{AccessRight.ADMIN_RIGHT.toString()};`
			`} else {`
			`Entry user = sb.userDB.getEntry(username);`
			`if (user != null && user.getMD5EncodedUserPwd() != null) {`
			`// assigning roles from userDB`
			`ArrayList<String> roletmp = new ArrayList<String>();`
			`for (final AccessRight right : AccessRight.values()) {`
			`if (user.hasRight(right)) {`
			`roletmp.add(right.toString());`
			`}`
implementing YaCy legacy role names - taking out customized SecurityHandler code as the original/default seems to just work fine - with this individual sec. constraints can be applied via web.xml (using legacy role names) 2014-01-10 14:07:49 +01:00			`}`
implemented DIGEST authentication, which is for remote login more secure as BASIC were pwd is transmitted near clear text (B64enc). This has some implication as RFC 2617 requires and recommends a password hash MD5(user:realm:pwd) for DIGEST. !!! before activating DIGEST you have to reassign all passwords !!! to allow new calculation of the hash - default authentication is still BASIC - configuration at this time only manually in (DATA/settings) or defaults/web.xml (<auth-method> - the realmname is in defaults/yacy.init adminRealm=YaCy-AdminUI - fyi: the realmname is shown on login screen - changing the realm name invalidates all passwords - but for security you are encouraged to do so (as localhostadmin) - implemented to support both, old hashes for BASIC and new hashes for BASIC and DIGEST - to differentiate old / new hash the in Jetty used hash-prefix "MD5:" is used for new pwd-hashes ( "MD5:hash" ) 2014-01-17 00:02:23 +01:00			`if (roletmp.size() > 0) roles = roletmp.toArray(new String[roletmp.size()]);`
			`credential = YaCyLegacyCredential.getCredentialForUserDB(username, user.getMD5EncodedUserPwd());`
			`}`
			`}`

			`if (credential != null) {`
			`if (roles != null) {`
			`return putUser(username, credential, roles);`
			`} else {`
			`return putUser(username, credential); // w/o role makes not much sense, but succeeds login....`
implementing YaCy legacy role names - taking out customized SecurityHandler code as the original/default seems to just work fine - with this individual sec. constraints can be applied via web.xml (using legacy role names) 2014-01-10 14:07:49 +01:00			`}`
tweak Jetty credentials to work with YaCy UserDB - user entry in UserDB with admin right can login to access protected pages - dto. admin user, choosen username is stored in conf (adminAccountUserName=) 2013-12-27 06:45:22 +01:00			`}`
			`return null;`
			`}`
implemented DIGEST authentication, which is for remote login more secure as BASIC were pwd is transmitted near clear text (B64enc). This has some implication as RFC 2617 requires and recommends a password hash MD5(user:realm:pwd) for DIGEST. !!! before activating DIGEST you have to reassign all passwords !!! to allow new calculation of the hash - default authentication is still BASIC - configuration at this time only manually in (DATA/settings) or defaults/web.xml (<auth-method> - the realmname is in defaults/yacy.init adminRealm=YaCy-AdminUI - fyi: the realmname is shown on login screen - changing the realm name invalidates all passwords - but for security you are encouraged to do so (as localhostadmin) - implemented to support both, old hashes for BASIC and new hashes for BASIC and DIGEST - to differentiate old / new hash the in Jetty used hash-prefix "MD5:" is used for new pwd-hashes ( "MD5:hash" ) 2014-01-17 00:02:23 +01:00
			`@Override`
			`protected void loadUsers() throws IOException {`
			`// don't load any users into MappedLoginService on startup`
			`// we use loadUser for dynamic checking`
			`}`
* add copyright info * implement basic authentication * update jetty to 7.3.0 2011-03-15 00:33:36 +01:00
			`}`