diff --git a/source/net/yacy/http/Jetty8YaCySecurityHandler.java b/source/net/yacy/http/Jetty8YaCySecurityHandler.java index c956e328c..1acc2e682 100644 --- a/source/net/yacy/http/Jetty8YaCySecurityHandler.java +++ b/source/net/yacy/http/Jetty8YaCySecurityHandler.java @@ -24,14 +24,7 @@ package net.yacy.http; -import java.io.IOException; import java.net.MalformedURLException; -import java.util.ArrayList; -import java.util.List; -import java.util.Set; -import java.util.TreeSet; - -import javax.servlet.http.HttpServletResponse; import net.yacy.cora.document.id.MultiProtocolURL; import net.yacy.cora.protocol.Domains; @@ -40,15 +33,9 @@ import net.yacy.search.Switchboard; import net.yacy.search.SwitchboardConstants; import net.yacy.server.serverAccessTracker; -import org.eclipse.jetty.http.HttpSchemes; import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.security.RoleInfo; -import org.eclipse.jetty.security.UserDataConstraint; -import org.eclipse.jetty.server.AbstractHttpConnection; -import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.Request; -import org.eclipse.jetty.server.Response; -import org.eclipse.jetty.server.UserIdentity; /** * jetty security handler @@ -65,110 +52,6 @@ public class Jetty8YaCySecurityHandler extends ConstraintSecurityHandler { } } - @Override - protected boolean checkUserDataPermissions(String pathInContext, Request request, Response response, Object constraintInfo) throws IOException - // check the SecurityHandler code, denying here does not provide authentication - // - identical with ConstraintSecurityHandler.checkUserDataPermissions implementation of Jetty source distribution - { - if (constraintInfo == null) - return true; - - RoleInfo roleInfo = (RoleInfo)constraintInfo; - if (roleInfo.isForbidden()) - return false; - - - UserDataConstraint dataConstraint = roleInfo.getUserDataConstraint(); - if (dataConstraint == null || dataConstraint == UserDataConstraint.None) - { - return true; - } - AbstractHttpConnection connection = AbstractHttpConnection.getCurrentConnection(); - Connector connector = connection.getConnector(); - - if (dataConstraint == UserDataConstraint.Integral) - { - if (connector.isIntegral(request)) - return true; - if (connector.getIntegralPort() > 0) - { - String scheme=connector.getIntegralScheme(); - int port=connector.getIntegralPort(); - String url = (HttpSchemes.HTTPS.equalsIgnoreCase(scheme) && port==443) - ? "https://"+request.getServerName()+request.getRequestURI() - : scheme + "://" + request.getServerName() + ":" + port + request.getRequestURI(); - if (request.getQueryString() != null) - url += "?" + request.getQueryString(); - response.setContentLength(0); - response.sendRedirect(url); - } - else - response.sendError(HttpServletResponse.SC_FORBIDDEN,"!Integral"); - - request.setHandled(true); - return false; - } - else if (dataConstraint == UserDataConstraint.Confidential) - { - if (connector.isConfidential(request)) - return true; - - if (connector.getConfidentialPort() > 0) - { - String scheme=connector.getConfidentialScheme(); - int port=connector.getConfidentialPort(); - String url = (HttpSchemes.HTTPS.equalsIgnoreCase(scheme) && port==443) - ? "https://"+request.getServerName()+request.getRequestURI() - : scheme + "://" + request.getServerName() + ":" + port + request.getRequestURI(); - if (request.getQueryString() != null) - url += "?" + request.getQueryString(); - response.setContentLength(0); - response.sendRedirect(url); - } - else - response.sendError(HttpServletResponse.SC_FORBIDDEN,"!Confidential"); - - request.setHandled(true); - return false; - } - else - { - throw new IllegalArgumentException("Invalid dataConstraint value: " + dataConstraint); - } - } - - @Override - protected boolean checkWebResourcePermissions(String pathInContext, Request request, - Response response, Object constraintInfo, UserIdentity userIdentity) throws IOException { - // deny and request for authentication, if necessary - // - identical with ConstraintSecurityHandler.checkWebResourcePermissions implementation of Jetty source distribution - if (constraintInfo == null) { - return true; - } - RoleInfo roleInfo = (RoleInfo) constraintInfo; - - if (!roleInfo.isChecked()) { - return true; - } - - if (roleInfo.isAnyRole() && request.getAuthType() != null) { - return true; - } - - for (String role : roleInfo.getRoles()) { - if (userIdentity.isUserInRole(role, null)) { - return true; - } - } - return false; - } - - @Override - protected boolean isAuthMandatory(Request baseRequest, Response base_response, Object constraintInfo) { - // identical with ConstraintSecurityHandler.isAuthMandatory implementation of Jetty source distribution - return constraintInfo != null && ((RoleInfo) constraintInfo).isChecked(); - } - /** * create the constraint for the given path * for urls containing *_p. (like info_p.html) admin access is required, @@ -211,12 +94,8 @@ public class Jetty8YaCySecurityHandler extends ConstraintSecurityHandler { roleinfo.setChecked(true); // RoleInfo.setChecked() : in Jetty this means - marked to have any security constraint roleinfo.addRole(AccessRight.ADMIN_RIGHT.toString()); // use AccessRights as role return roleinfo; - } // can omit else, as if grantedForLocalhost==true no constraint applies - // TODO: is this correct or adminAccountBase64MD5 not empty check neccessary ? + } } - // DefaultServlet is not path security aware (at this time makes not sense to call super, yet -> would work on other servlets) - // return (RoleInfo)super.prepareConstraintInfo(pathInContext, request); - return null; + return (RoleInfo)super.prepareConstraintInfo(pathInContext, request); } - } diff --git a/source/net/yacy/http/YaCyLoginService.java b/source/net/yacy/http/YaCyLoginService.java index 5d5cbc02d..2f34a74c6 100644 --- a/source/net/yacy/http/YaCyLoginService.java +++ b/source/net/yacy/http/YaCyLoginService.java @@ -53,7 +53,6 @@ public class YaCyLoginService extends MappedLoginService implements LoginService @Override protected UserIdentity loadUser(String username) { - // TODO: implement legacy credentials final Switchboard sb = Switchboard.getSwitchboard(); String adminuser = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin"); if (username.equals(adminuser)) { @@ -75,19 +74,23 @@ public class YaCyLoginService extends MappedLoginService implements LoginService } Entry user = sb.userDB.getEntry(username); if (user != null) { - if (user.hasRight(AccessRight.ADMIN_RIGHT)) { - String[] role = new String[]{AccessRight.ADMIN_RIGHT.toString()}; - - Credential credential = YaCyLegacyCredential.getCredentials(username, user.getMD5EncodedUserPwd()); - Principal userPrincipal = new MappedLoginService.KnownUser(username, credential); - Subject subject = new Subject(); - subject.getPrincipals().add(userPrincipal); - subject.getPrivateCredentials().add(credential); - subject.setReadOnly(); - IdentityService is = getIdentityService(); - - return is.newUserIdentity(subject, userPrincipal, role); - } + // assigning roles from userDB + String[] role = new String[AccessRight.values().length]; + int i = 0; + for (final AccessRight right : AccessRight.values()) { + if (user.hasRight(right)) { + role[i] = right.toString(); + i++; + } + } + Credential credential = YaCyLegacyCredential.getCredentials(username, user.getMD5EncodedUserPwd()); + Principal userPrincipal = new MappedLoginService.KnownUser(username, credential); + Subject subject = new Subject(); + subject.getPrincipals().add(userPrincipal); + subject.getPrivateCredentials().add(credential); + subject.setReadOnly(); + IdentityService is = getIdentityService(); + return is.newUserIdentity(subject, userPrincipal, role); } return null; }