2011-03-16 17:39:31 +01:00
|
|
|
//
|
|
|
|
// YaCySecurityHandler
|
|
|
|
// Copyright 2011 by Florian Richter
|
|
|
|
// First released 16.04.2011 at http://yacy.net
|
|
|
|
//
|
|
|
|
// $LastChangedDate$
|
|
|
|
// $LastChangedRevision$
|
|
|
|
// $LastChangedBy$
|
|
|
|
//
|
|
|
|
// This library is free software; you can redistribute it and/or
|
|
|
|
// modify it under the terms of the GNU Lesser General Public
|
|
|
|
// License as published by the Free Software Foundation; either
|
|
|
|
// version 2.1 of the License, or (at your option) any later version.
|
|
|
|
//
|
|
|
|
// This library is distributed in the hope that it will be useful,
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
// Lesser General Public License for more details.
|
|
|
|
//
|
|
|
|
// You should have received a copy of the GNU Lesser General Public License
|
|
|
|
// along with this program in the file lgpl21.txt
|
|
|
|
// If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
//
|
|
|
|
|
|
|
|
package net.yacy.http;
|
|
|
|
|
2011-04-13 15:28:28 +02:00
|
|
|
import java.net.MalformedURLException;
|
2013-12-23 01:23:40 +01:00
|
|
|
|
|
|
|
import net.yacy.cora.document.id.MultiProtocolURL;
|
2011-03-17 20:40:05 +01:00
|
|
|
import net.yacy.cora.protocol.Domains;
|
2013-12-27 06:45:22 +01:00
|
|
|
import net.yacy.data.UserDB.AccessRight;
|
2012-06-29 21:16:20 +02:00
|
|
|
import net.yacy.search.Switchboard;
|
2014-01-05 04:23:44 +01:00
|
|
|
import net.yacy.search.SwitchboardConstants;
|
2014-01-05 05:04:28 +01:00
|
|
|
import net.yacy.server.serverAccessTracker;
|
2013-12-23 01:23:40 +01:00
|
|
|
|
2014-01-10 12:36:42 +01:00
|
|
|
import org.eclipse.jetty.security.ConstraintSecurityHandler;
|
2013-09-14 20:49:05 +02:00
|
|
|
import org.eclipse.jetty.security.RoleInfo;
|
2011-03-16 17:39:31 +01:00
|
|
|
import org.eclipse.jetty.server.Request;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* jetty security handler
|
|
|
|
* demands authentication for pages with _p. inside
|
2013-10-04 01:16:17 +02:00
|
|
|
* and updates AccessTracker
|
2011-03-16 17:39:31 +01:00
|
|
|
*/
|
2014-01-10 12:36:42 +01:00
|
|
|
public class Jetty8YaCySecurityHandler extends ConstraintSecurityHandler {
|
|
|
|
|
|
|
|
public Jetty8YaCySecurityHandler() {
|
|
|
|
super();
|
|
|
|
|
|
|
|
for (AccessRight right : AccessRight.values()) {
|
|
|
|
addRole(right.toString()); // add default YaCy roles
|
|
|
|
}
|
|
|
|
}
|
2011-03-16 17:39:31 +01:00
|
|
|
|
2013-10-03 19:38:03 +02:00
|
|
|
/**
|
|
|
|
* create the constraint for the given path
|
|
|
|
* for urls containing *_p. (like info_p.html) admin access is required,
|
|
|
|
* on localhost = admin setting no constraint is set
|
|
|
|
* @param pathInContext
|
|
|
|
* @param request
|
|
|
|
* @return RoleInfo with
|
|
|
|
* isChecked=true if any security contraint applies (compare reference implementation org.eclipse.jetty.security.ConstraintSecurityHandler)
|
|
|
|
* role = "admin" for resource name containint _p.
|
|
|
|
*/
|
2013-09-14 20:49:05 +02:00
|
|
|
@Override
|
|
|
|
protected RoleInfo prepareConstraintInfo(String pathInContext, Request request) {
|
|
|
|
final Switchboard sb = Switchboard.getSwitchboard();
|
2014-03-20 19:09:47 +01:00
|
|
|
final boolean adminAccountGrantedForLocalhost = sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_FOR_LOCALHOST, false);
|
|
|
|
final boolean adminAccountNeededForAllPages = sb.getConfigBool(SwitchboardConstants.ADMIN_ACCOUNT_All_PAGES, false);
|
2013-10-03 19:38:03 +02:00
|
|
|
//final String adminAccountBase64MD5 = sb.getConfig(YaCyLegacyCredential.ADMIN_ACCOUNT_B64MD5, "");
|
2011-03-17 20:40:05 +01:00
|
|
|
|
2011-04-13 15:28:28 +02:00
|
|
|
String refererHost;
|
2013-10-04 01:16:17 +02:00
|
|
|
// update AccessTracker
|
|
|
|
refererHost = request.getRemoteAddr();
|
2014-01-05 05:04:28 +01:00
|
|
|
serverAccessTracker.track(refererHost, pathInContext);
|
2013-10-04 01:16:17 +02:00
|
|
|
|
2013-09-14 20:49:05 +02:00
|
|
|
try {
|
2013-09-23 03:05:09 +02:00
|
|
|
refererHost = new MultiProtocolURL(request.getHeader("Referer")).getHost();
|
2013-09-14 20:49:05 +02:00
|
|
|
} catch (MalformedURLException e) {
|
|
|
|
refererHost = null;
|
2013-10-04 01:16:17 +02:00
|
|
|
}
|
2011-03-17 20:40:05 +01:00
|
|
|
final boolean accessFromLocalhost = Domains.isLocalhost(request.getRemoteHost()) && (refererHost == null || refererHost.length() == 0 || Domains.isLocalhost(refererHost));
|
2014-01-05 04:55:30 +01:00
|
|
|
// ! note : accessFromLocalhost compares localhost ip pattern
|
2014-03-20 19:09:47 +01:00
|
|
|
final boolean grantedForLocalhost = adminAccountGrantedForLocalhost && accessFromLocalhost;
|
|
|
|
boolean protectedPage = adminAccountNeededForAllPages || (pathInContext.indexOf("_p.") > 0);
|
2013-10-30 23:11:36 +01:00
|
|
|
// check "/gsa" and "/solr" if not publicSearchpage
|
2014-03-20 22:11:49 +01:00
|
|
|
if (!protectedPage && !sb.getConfigBool(SwitchboardConstants.PUBLIC_SEARCHPAGE, true)) {
|
2013-10-30 23:11:36 +01:00
|
|
|
protectedPage = pathInContext.startsWith("/solr/") || pathInContext.startsWith("/gsa/");
|
|
|
|
}
|
2013-10-03 19:38:03 +02:00
|
|
|
//final boolean accountEmpty = adminAccountBase64MD5.length() == 0;
|
2014-01-10 19:31:36 +01:00
|
|
|
|
|
|
|
if (protectedPage) {
|
|
|
|
if (grantedForLocalhost) {
|
|
|
|
return null; // quick return for local admin
|
2014-01-21 17:53:39 +01:00
|
|
|
}
|
|
|
|
RoleInfo roleinfo = new RoleInfo();
|
|
|
|
roleinfo.setChecked(true); // RoleInfo.setChecked() : in Jetty this means - marked to have any security constraint
|
|
|
|
roleinfo.addRole(AccessRight.ADMIN_RIGHT.toString()); // use AccessRights as role
|
|
|
|
return roleinfo;
|
2013-09-14 20:49:05 +02:00
|
|
|
}
|
2014-01-10 14:07:49 +01:00
|
|
|
return (RoleInfo)super.prepareConstraintInfo(pathInContext, request);
|
2013-09-14 20:49:05 +02:00
|
|
|
}
|
2011-03-16 17:39:31 +01:00
|
|
|
}
|