adjust YaCySecurityHandler to Jetty 9 conventions

- mainly adjust prepareConstraintInfo to use the RoleInfo.setChecked as in Jetty Source distribution
- use constraint check behavior as in ConstraintSecurityHandler
  see http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/tree/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java?id=jetty-9.0.5.v20130813

source/net/yacy/http/YaCySecurityHandler.java

@@ -30,9 +30,13 @@ import net.yacy.cora.document.id.MultiProtocolURL;
 
 import net.yacy.cora.protocol.Domains;
 import net.yacy.search.Switchboard;
+import org.eclipse.jetty.http.HttpStatus;
 import org.eclipse.jetty.security.RoleInfo;
 
 import org.eclipse.jetty.security.SecurityHandler;
+import org.eclipse.jetty.security.UserDataConstraint;
+import org.eclipse.jetty.server.HttpChannel;
+import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Response;
 import org.eclipse.jetty.server.UserIdentity;
@@ -44,49 +48,122 @@ import org.eclipse.jetty.server.UserIdentity;
 public class YaCySecurityHandler extends SecurityHandler {
 
     @Override
-    protected boolean checkUserDataPermissions(String pathInContext, Request request,
-            Response response, RoleInfo constraintInfo) throws IOException {
-        // check the SecurityHandler code, denying here does not provide authentication
-        return constraintInfo.isChecked();
-    }
+    protected boolean checkUserDataPermissions(String pathInContext, Request request, Response response, RoleInfo roleInfo) throws IOException   
+     // check the SecurityHandler code, denying here does not provide authentication
+     // - identical with ConstraintSecurityHandler.checkUserDataPermissions implementation of Jetty source distribution
+    {
+        if (roleInfo == null) {
+            return true;
+        }
+
+        if (roleInfo.isForbidden()) {
+            return false;
+        }
+
+        UserDataConstraint dataConstraint = roleInfo.getUserDataConstraint();
+        if (dataConstraint == null || dataConstraint == UserDataConstraint.None) {
+            return true;
+        }
+
+        HttpConfiguration httpConfig = HttpChannel.getCurrentHttpChannel().getHttpConfiguration();
+
+        if (dataConstraint == UserDataConstraint.Confidential || dataConstraint == UserDataConstraint.Integral) {
+            if (request.isSecure()) {
+                return true;
+            }
+
+            if (httpConfig.getSecurePort() > 0) {
+                String scheme = httpConfig.getSecureScheme();
+                int port = httpConfig.getSecurePort();
+                String url = ("https".equalsIgnoreCase(scheme) && port == 443)
+                        ? "https://" + request.getServerName() + request.getRequestURI()
+                        : scheme + "://" + request.getServerName() + ":" + port + request.getRequestURI();
+                if (request.getQueryString() != null) {
+                    url += "?" + request.getQueryString();
+                }
+                response.setContentLength(0);
+                response.sendRedirect(url);
+            } else {
+                response.sendError(HttpStatus.FORBIDDEN_403, "!Secure");
+            }
+
+            request.setHandled(true);
+            return false;
+        } else {
+            throw new IllegalArgumentException("Invalid dataConstraint value: " + dataConstraint);
+        }
+    }        
 
     @Override
     protected boolean checkWebResourcePermissions(String pathInContext, Request request,
             Response response, Object constraintInfo, UserIdentity userIdentity) throws IOException {
         // deny and request for authentication, if necessary
-        boolean auth = ((RoleInfo) constraintInfo).isChecked();
-        return auth || request.isUserInRole("admin");
-    }
+        // - identical with ConstraintSecurityHandler.checkWebResourcePermissions implementation of Jetty source distribution    
+        if (constraintInfo == null) {
+            return true;
+        }
+        RoleInfo roleInfo = (RoleInfo) constraintInfo;
 
-    @Override
-    protected boolean isAuthMandatory(Request base_request, Response base_response, Object constraintInfo) {
+        if (!roleInfo.isChecked()) {
+            return true;
+        }
+
+        if (roleInfo.isAnyRole() && request.getAuthType() != null) {
+            return true;
+        }
+
+        for (String role : roleInfo.getRoles()) {
+            if (userIdentity.isUserInRole(role, null)) {
+                return true;
+            }
+        }
         return false;
     }
 
+    @Override
+    protected boolean isAuthMandatory(Request baseRequest, Response base_response, Object constraintInfo) {
+        // identical with ConstraintSecurityHandler.isAuthMandatory implementation of Jetty source distribution
+        return constraintInfo != null && ((RoleInfo) constraintInfo).isChecked();
+    }
+
+     /**
+     * create the constraint for the given path
+     * for urls containing *_p. (like info_p.html) admin access is required,
+     * on localhost = admin setting no constraint is set 
+     * @param pathInContext
+     * @param request
+     * @return RoleInfo with 
+     *     isChecked=true if any security contraint applies (compare reference implementation org.eclipse.jetty.security.ConstraintSecurityHandler)
+     *     role = "admin" for resource name containint _p.
+     */
     @Override
     protected RoleInfo prepareConstraintInfo(String pathInContext, Request request) {
         final Switchboard sb = Switchboard.getSwitchboard();
         final boolean adminAccountForLocalhost = sb.getConfigBool("adminAccountForLocalhost", false);
-        final String adminAccountBase64MD5 = sb.getConfig(YaCyLegacyCredential.ADMIN_ACCOUNT_B64MD5, "");
+        //final String adminAccountBase64MD5 = sb.getConfig(YaCyLegacyCredential.ADMIN_ACCOUNT_B64MD5, "");
 
         String refererHost;
         try {
             refererHost = new MultiProtocolURL(request.getHeader("Referer")).getHost();
         } catch (MalformedURLException e) {
             refererHost = null;
-        }
+        }        
         final boolean accessFromLocalhost = Domains.isLocalhost(request.getRemoteHost()) && (refererHost == null || refererHost.length() == 0 || Domains.isLocalhost(refererHost));
+        // ! note : accessFromLocalhost compares localhost ip pattern ( ! currently also any intranet host is a local host)
         final boolean grantedForLocalhost = adminAccountForLocalhost && accessFromLocalhost;
         final boolean protectedPage = pathInContext.indexOf("_p.") > 0;
-        final boolean accountEmpty = adminAccountBase64MD5.length() == 0;
-        final boolean yacyBot = request.getHeader("User-Agent").startsWith("yacybot");
-
-        RoleInfo roleinfo = new RoleInfo();
-        if (protectedPage) { // TODO: handle admin authentication & none public site
-            roleinfo.setChecked(((grantedForLocalhost && !accountEmpty) || yacyBot));
-        } else {
-            roleinfo.setChecked(true); 
+        //final boolean accountEmpty = adminAccountBase64MD5.length() == 0;
+        //final boolean yacyBot = request.getHeader("User-Agent").startsWith("yacybot");
+     
+        if (protectedPage) { // TODO: none public site
+            if (!grantedForLocalhost) {
+                RoleInfo roleinfo = new RoleInfo();
+                roleinfo.setChecked(true); // RoleInfo.setChecked() : in Jetty this means - marked to have any security constraint
+                roleinfo.addRole("admin"); //YaCyLoginService assigns "admin" role to admin user
+                return roleinfo;
+            } // can omit else, as if grantedForLocalhost==true no constraint applies
+              // TODO: is this correct or adminAccountBase64MD5 not empty check neccessary ?
         }
-        return roleinfo;
+        return null;
     }
 }