/** Set up basic security constraints for the webapp. Add all users and passwords. */
  static void initialize(RouterContext ctx, WebAppContext context) {
    SecurityHandler sec = new SecurityHandler();
    List<ConstraintMapping> constraints = new ArrayList(4);
    ConsolePasswordManager mgr = new ConsolePasswordManager(ctx);
    boolean enable = ctx.getBooleanProperty(PROP_PW_ENABLE);
    if (enable) {
      Map<String, String> userpw = mgr.getMD5(PROP_CONSOLE_PW);
      if (userpw.isEmpty()) {
        enable = false;
        ctx.router().saveConfig(PROP_CONSOLE_PW, "false");
      } else {
        HashUserRealm realm = new HashUserRealm(JETTY_REALM);
        sec.setUserRealm(realm);
        sec.setAuthenticator(authenticator);
        for (Map.Entry<String, String> e : userpw.entrySet()) {
          String user = e.getKey();
          String pw = e.getValue();
          realm.put(user, MD5.__TYPE + pw);
          realm.addUserToRole(user, JETTY_ROLE);
          Constraint constraint = new Constraint(user, JETTY_ROLE);
          constraint.setAuthenticate(true);
          ConstraintMapping cm = new ConstraintMapping();
          cm.setConstraint(constraint);
          cm.setPathSpec("/");
          constraints.add(cm);
        }
      }
    }

    // This forces a '403 Forbidden' response for TRACE and OPTIONS unless the
    // WAC handler handles it.
    // (LocaleWebAppHandler returns a '405 Method Not Allowed')
    // TRACE and OPTIONS aren't really security issues...
    // TRACE doesn't echo stuff unless you call setTrace(true)
    // But it might bug some people
    // The other strange methods - PUT, DELETE, MOVE - are disabled by default
    // See also:
    // http://old.nabble.com/Disable-HTTP-TRACE-in-Jetty-5.x-td12412607.html

    Constraint sc = new Constraint();
    sc.setName("No trace");
    ConstraintMapping cm = new ConstraintMapping();
    cm.setMethod("TRACE");
    cm.setConstraint(sc);
    cm.setPathSpec("/");
    constraints.add(cm);

    sc = new Constraint();
    sc.setName("No options");
    cm = new ConstraintMapping();
    cm.setMethod("OPTIONS");
    cm.setConstraint(sc);
    cm.setPathSpec("/");
    constraints.add(cm);

    ConstraintMapping cmarr[] = constraints.toArray(new ConstraintMapping[constraints.size()]);
    sec.setConstraintMappings(cmarr);

    context.setSecurityHandler(sec);
  }
 private ConstraintMapping createConstraintMapping(String pathSpec, int dataConstraint) {
   ConstraintMapping constraintMapping = new ConstraintMapping();
   Constraint constraint = new Constraint();
   constraint.setDataConstraint(dataConstraint);
   constraintMapping.setPathSpec(pathSpec);
   constraintMapping.setConstraint(constraint);
   return constraintMapping;
 }
  private static SecurityHandler createBasicAuthenticationSecurityHandler() {
    Constraint constraint = new Constraint(Constraint.__BASIC_AUTH, "superuser");
    constraint.setAuthenticate(true);

    HashUserRealm myRealm = new HashUserRealm("MyRealm");
    myRealm.put("tobechanged", "tobechanged");
    myRealm.addUserToRole("tobechanged", "superuser");

    SecurityHandler securityHandler = new SecurityHandler();
    securityHandler.setUserRealm(myRealm);

    ConstraintMapping constraintMapping = new ConstraintMapping();
    constraintMapping.setConstraint(constraint);
    constraintMapping.setPathSpec("/*");
    securityHandler.setConstraintMappings(new ConstraintMapping[] {constraintMapping});
    return securityHandler;
  }
Beispiel #4
0
  /**
   * Method to start the Jetty server
   *
   * @param jobDataMap
   */
  private void startServer(JobDataMap jobDataMap) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Initialising HTTP server");
    }
    int port = Integer.parseInt(jobDataMap.getString("port"));
    String bindAddress = jobDataMap.getString("bindAddress");
    String authConfigFile = jobDataMap.getString("authConfigFile");
    String keystore = jobDataMap.getString("keystore");
    Server server = new Server();
    if (keystore == null || keystore.equals("")) {
      LOG.info("Starting with HTTP (non-encrypted) protocol");
      SelectChannelConnector connector = new SelectChannelConnector();
      connector.setHost(bindAddress);
      connector.setPort(port);
      server.addConnector(connector);
    } else {
      LOG.info("Starting with HTTPS (encrypted) protocol");
      SslSocketConnector sslConnector = new SslSocketConnector();
      sslConnector.setHost(bindAddress);
      sslConnector.setPort(port);
      sslConnector.setKeystore(jobDataMap.getString("keystore"));
      sslConnector.setKeyPassword(jobDataMap.getString("keyPassword"));
      sslConnector.setTruststore(jobDataMap.getString("trustStore"));
      sslConnector.setTrustPassword(jobDataMap.getString("trustPassword"));
      sslConnector.setPassword(jobDataMap.getString("password"));
      server.addConnector(sslConnector);
    }

    if (authConfigFile != null && !(authConfigFile.equals(""))) {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Requiring basic auth");
      }
      Constraint constraint = new Constraint();
      constraint.setName(Constraint.__BASIC_AUTH);
      ;
      constraint.setRoles(new String[] {"user", "grouper"});
      constraint.setAuthenticate(true);

      ConstraintMapping cm = new ConstraintMapping();
      cm.setConstraint(constraint);
      cm.setPathSpec("/*");

      SecurityHandler sh = new SecurityHandler();
      try {
        sh.setUserRealm(new HashUserRealm("Grouper", authConfigFile));
      } catch (IOException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
      }
      sh.setConstraintMappings(new ConstraintMapping[] {cm});

      Handler[] handlers = new Handler[] {sh, new EsbHttpHandler()};
      server.setHandlers(handlers);

    } else {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Not requiring basic auth");
      }
      server.setHandler(new EsbHttpHandler());
    }
    try {
      server.start();
      LOG.info("HTTP server started on address " + bindAddress + " port " + port);
      server.join();
    } catch (Exception e) {
      e.printStackTrace();
    }
  }
Beispiel #5
0
  private synchronized void enableRemoteAccess() throws Exception {

    if (remoteAccessForward == null) {
      logger.fine("enabling remote access");
      Connector connector = new SelectChannelConnector();
      connector.setHost(LOCALHOST);
      connector.setPort(Constants.LOCAL_WEB_SERVER_PORT_AUTH);

      authenticatedServer = new Server();
      authenticatedServer.addConnector(connector);

      // sets the thread pool (just so it is deamon=true)
      QueuedThreadPool threadPool = new QueuedThreadPool();
      threadPool.setMinThreads(5);
      // threadPool.setMaxThreads(10);
      threadPool.setName("Auth Jetty thread pool");
      threadPool.setDaemon(true);
      authenticatedServer.setThreadPool(threadPool);

      Constraint constraint = new Constraint();
      constraint.setName(Constraint.__BASIC_AUTH);
      constraint.setRoles(new String[] {"remote_user"});
      constraint.setAuthenticate(true);

      ConstraintMapping cm = new ConstraintMapping();
      cm.setConstraint(constraint);
      cm.setPathSpec("/*");

      SecurityHandler securityHandler = new SecurityHandler();
      securityHandler.setUserRealm(
          new ExtraSaltHashUserRealm(
              RemoteAccessConfig.usesMD5Sha1Password(),
              "OneSwarm Remote",
              RemoteAccessConfig.REMOTE_ACCESS_FILE.getCanonicalPath()));
      securityHandler.setConstraintMappings(new ConstraintMapping[] {cm});

      ContextHandlerCollection contexts = new ContextHandlerCollection();

      authenticatedServer.setHandler(contexts);
      Context root = new Context(contexts, "/", Context.NO_SESSIONS);

      root.addFilter(new FilterHolder(new GzipFilter()), "/*", Handler.ALL);

      MultiHandler mh = new MultiHandler(coreInterface, true);

      if (System.getProperty("com.sun.management.jmxremote") != null) {
        RequestLogHandler requestLogHandler = new RequestLogHandler();

        NCSARequestLog requestLog = new NCSARequestLog("/tmp/jetty-yyyy_mm_dd.remoterequest.log");
        requestLog.setRetainDays(1);
        requestLog.setAppend(false);
        requestLog.setExtended(true);
        requestLog.setLogTimeZone("GMT");
        requestLogHandler.setRequestLog(requestLog);

        HandlerCollection handlers = new HandlerCollection();
        handlers.setHandlers(new Handler[] {mh, requestLogHandler});
        root.setHandler(handlers);
      } else {
        root.setHandler(mh);
      }

      root.addHandler(securityHandler);

      // make sure that the class loader can find all classes in the
      // osgwtui
      // plugin dir...
      root.setClassLoader(pluginInterface.getPluginClassLoader());

      authenticatedServer.start();

      remoteAccessForward = new RemoteAccessForward();
      remoteAccessForward.start();
      logger.fine("remote access enabled");
    }
    coreInterface.setRemoteAccess(remoteAccessForward);
  }