mirror of
https://github.com/yacy/yacy_search_server.git
synced 2024-09-21 00:00:13 +02:00
adjust YaCySecurityHandler to Jetty 9 conventions
- mainly adjust prepareConstraintInfo to use the RoleInfo.setChecked as in Jetty Source distribution - use constraint check behavior as in ConstraintSecurityHandler see http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/tree/jetty-security/src/main/java/org/eclipse/jetty/security/ConstraintSecurityHandler.java?id=jetty-9.0.5.v20130813
This commit is contained in:
parent
6f9ed439d3
commit
172aefaeeb
|
@ -30,9 +30,13 @@ import net.yacy.cora.document.id.MultiProtocolURL;
|
|||
|
||||
import net.yacy.cora.protocol.Domains;
|
||||
import net.yacy.search.Switchboard;
|
||||
import org.eclipse.jetty.http.HttpStatus;
|
||||
import org.eclipse.jetty.security.RoleInfo;
|
||||
|
||||
import org.eclipse.jetty.security.SecurityHandler;
|
||||
import org.eclipse.jetty.security.UserDataConstraint;
|
||||
import org.eclipse.jetty.server.HttpChannel;
|
||||
import org.eclipse.jetty.server.HttpConfiguration;
|
||||
import org.eclipse.jetty.server.Request;
|
||||
import org.eclipse.jetty.server.Response;
|
||||
import org.eclipse.jetty.server.UserIdentity;
|
||||
|
@ -44,49 +48,122 @@ import org.eclipse.jetty.server.UserIdentity;
|
|||
public class YaCySecurityHandler extends SecurityHandler {
|
||||
|
||||
@Override
|
||||
protected boolean checkUserDataPermissions(String pathInContext, Request request,
|
||||
Response response, RoleInfo constraintInfo) throws IOException {
|
||||
// check the SecurityHandler code, denying here does not provide authentication
|
||||
return constraintInfo.isChecked();
|
||||
}
|
||||
protected boolean checkUserDataPermissions(String pathInContext, Request request, Response response, RoleInfo roleInfo) throws IOException
|
||||
// check the SecurityHandler code, denying here does not provide authentication
|
||||
// - identical with ConstraintSecurityHandler.checkUserDataPermissions implementation of Jetty source distribution
|
||||
{
|
||||
if (roleInfo == null) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (roleInfo.isForbidden()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
UserDataConstraint dataConstraint = roleInfo.getUserDataConstraint();
|
||||
if (dataConstraint == null || dataConstraint == UserDataConstraint.None) {
|
||||
return true;
|
||||
}
|
||||
|
||||
HttpConfiguration httpConfig = HttpChannel.getCurrentHttpChannel().getHttpConfiguration();
|
||||
|
||||
if (dataConstraint == UserDataConstraint.Confidential || dataConstraint == UserDataConstraint.Integral) {
|
||||
if (request.isSecure()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (httpConfig.getSecurePort() > 0) {
|
||||
String scheme = httpConfig.getSecureScheme();
|
||||
int port = httpConfig.getSecurePort();
|
||||
String url = ("https".equalsIgnoreCase(scheme) && port == 443)
|
||||
? "https://" + request.getServerName() + request.getRequestURI()
|
||||
: scheme + "://" + request.getServerName() + ":" + port + request.getRequestURI();
|
||||
if (request.getQueryString() != null) {
|
||||
url += "?" + request.getQueryString();
|
||||
}
|
||||
response.setContentLength(0);
|
||||
response.sendRedirect(url);
|
||||
} else {
|
||||
response.sendError(HttpStatus.FORBIDDEN_403, "!Secure");
|
||||
}
|
||||
|
||||
request.setHandled(true);
|
||||
return false;
|
||||
} else {
|
||||
throw new IllegalArgumentException("Invalid dataConstraint value: " + dataConstraint);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean checkWebResourcePermissions(String pathInContext, Request request,
|
||||
Response response, Object constraintInfo, UserIdentity userIdentity) throws IOException {
|
||||
// deny and request for authentication, if necessary
|
||||
boolean auth = ((RoleInfo) constraintInfo).isChecked();
|
||||
return auth || request.isUserInRole("admin");
|
||||
}
|
||||
// - identical with ConstraintSecurityHandler.checkWebResourcePermissions implementation of Jetty source distribution
|
||||
if (constraintInfo == null) {
|
||||
return true;
|
||||
}
|
||||
RoleInfo roleInfo = (RoleInfo) constraintInfo;
|
||||
|
||||
@Override
|
||||
protected boolean isAuthMandatory(Request base_request, Response base_response, Object constraintInfo) {
|
||||
if (!roleInfo.isChecked()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (roleInfo.isAnyRole() && request.getAuthType() != null) {
|
||||
return true;
|
||||
}
|
||||
|
||||
for (String role : roleInfo.getRoles()) {
|
||||
if (userIdentity.isUserInRole(role, null)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean isAuthMandatory(Request baseRequest, Response base_response, Object constraintInfo) {
|
||||
// identical with ConstraintSecurityHandler.isAuthMandatory implementation of Jetty source distribution
|
||||
return constraintInfo != null && ((RoleInfo) constraintInfo).isChecked();
|
||||
}
|
||||
|
||||
/**
|
||||
* create the constraint for the given path
|
||||
* for urls containing *_p. (like info_p.html) admin access is required,
|
||||
* on localhost = admin setting no constraint is set
|
||||
* @param pathInContext
|
||||
* @param request
|
||||
* @return RoleInfo with
|
||||
* isChecked=true if any security contraint applies (compare reference implementation org.eclipse.jetty.security.ConstraintSecurityHandler)
|
||||
* role = "admin" for resource name containint _p.
|
||||
*/
|
||||
@Override
|
||||
protected RoleInfo prepareConstraintInfo(String pathInContext, Request request) {
|
||||
final Switchboard sb = Switchboard.getSwitchboard();
|
||||
final boolean adminAccountForLocalhost = sb.getConfigBool("adminAccountForLocalhost", false);
|
||||
final String adminAccountBase64MD5 = sb.getConfig(YaCyLegacyCredential.ADMIN_ACCOUNT_B64MD5, "");
|
||||
//final String adminAccountBase64MD5 = sb.getConfig(YaCyLegacyCredential.ADMIN_ACCOUNT_B64MD5, "");
|
||||
|
||||
String refererHost;
|
||||
try {
|
||||
refererHost = new MultiProtocolURL(request.getHeader("Referer")).getHost();
|
||||
} catch (MalformedURLException e) {
|
||||
refererHost = null;
|
||||
}
|
||||
}
|
||||
final boolean accessFromLocalhost = Domains.isLocalhost(request.getRemoteHost()) && (refererHost == null || refererHost.length() == 0 || Domains.isLocalhost(refererHost));
|
||||
// ! note : accessFromLocalhost compares localhost ip pattern ( ! currently also any intranet host is a local host)
|
||||
final boolean grantedForLocalhost = adminAccountForLocalhost && accessFromLocalhost;
|
||||
final boolean protectedPage = pathInContext.indexOf("_p.") > 0;
|
||||
final boolean accountEmpty = adminAccountBase64MD5.length() == 0;
|
||||
final boolean yacyBot = request.getHeader("User-Agent").startsWith("yacybot");
|
||||
|
||||
RoleInfo roleinfo = new RoleInfo();
|
||||
if (protectedPage) { // TODO: handle admin authentication & none public site
|
||||
roleinfo.setChecked(((grantedForLocalhost && !accountEmpty) || yacyBot));
|
||||
} else {
|
||||
roleinfo.setChecked(true);
|
||||
//final boolean accountEmpty = adminAccountBase64MD5.length() == 0;
|
||||
//final boolean yacyBot = request.getHeader("User-Agent").startsWith("yacybot");
|
||||
|
||||
if (protectedPage) { // TODO: none public site
|
||||
if (!grantedForLocalhost) {
|
||||
RoleInfo roleinfo = new RoleInfo();
|
||||
roleinfo.setChecked(true); // RoleInfo.setChecked() : in Jetty this means - marked to have any security constraint
|
||||
roleinfo.addRole("admin"); //YaCyLoginService assigns "admin" role to admin user
|
||||
return roleinfo;
|
||||
} // can omit else, as if grantedForLocalhost==true no constraint applies
|
||||
// TODO: is this correct or adminAccountBase64MD5 not empty check neccessary ?
|
||||
}
|
||||
return roleinfo;
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user