/** Set up basic security constraints for the webapp. Add all users and passwords. */
static void initialize(RouterContext ctx, WebAppContext context) {
SecurityHandler sec = new SecurityHandler();
List<ConstraintMapping> constraints = new ArrayList(4);
ConsolePasswordManager mgr = new ConsolePasswordManager(ctx);
boolean enable = ctx.getBooleanProperty(PROP_PW_ENABLE);
if (enable) {
Map<String, String> userpw = mgr.getMD5(PROP_CONSOLE_PW);
if (userpw.isEmpty()) {
enable = false;
ctx.router().saveConfig(PROP_CONSOLE_PW, "false");
} else {
HashUserRealm realm = new HashUserRealm(JETTY_REALM);
sec.setUserRealm(realm);
sec.setAuthenticator(authenticator);
for (Map.Entry<String, String> e : userpw.entrySet()) {
String user = e.getKey();
String pw = e.getValue();
realm.put(user, MD5.__TYPE + pw);
realm.addUserToRole(user, JETTY_ROLE);
Constraint constraint = new Constraint(user, JETTY_ROLE);
constraint.setAuthenticate(true);
ConstraintMapping cm = new ConstraintMapping();
cm.setConstraint(constraint);
cm.setPathSpec("/");
constraints.add(cm);
}
}
}
// This forces a '403 Forbidden' response for TRACE and OPTIONS unless the
// WAC handler handles it.
// (LocaleWebAppHandler returns a '405 Method Not Allowed')
// TRACE and OPTIONS aren't really security issues...
// TRACE doesn't echo stuff unless you call setTrace(true)
// But it might bug some people
// The other strange methods - PUT, DELETE, MOVE - are disabled by default
// See also:
// http://old.nabble.com/Disable-HTTP-TRACE-in-Jetty-5.x-td12412607.html
Constraint sc = new Constraint();
sc.setName("No trace");
ConstraintMapping cm = new ConstraintMapping();
cm.setMethod("TRACE");
cm.setConstraint(sc);
cm.setPathSpec("/");
constraints.add(cm);
sc = new Constraint();
sc.setName("No options");
cm = new ConstraintMapping();
cm.setMethod("OPTIONS");
cm.setConstraint(sc);
cm.setPathSpec("/");
constraints.add(cm);
ConstraintMapping cmarr[] = constraints.toArray(new ConstraintMapping[constraints.size()]);
sec.setConstraintMappings(cmarr);
context.setSecurityHandler(sec);
}
private ConstraintMapping createConstraintMapping(String pathSpec, int dataConstraint) {
ConstraintMapping constraintMapping = new ConstraintMapping();
Constraint constraint = new Constraint();
constraint.setDataConstraint(dataConstraint);
constraintMapping.setPathSpec(pathSpec);
constraintMapping.setConstraint(constraint);
return constraintMapping;
}
private static SecurityHandler createBasicAuthenticationSecurityHandler() {
Constraint constraint = new Constraint(Constraint.__BASIC_AUTH, "superuser");
constraint.setAuthenticate(true);
HashUserRealm myRealm = new HashUserRealm("MyRealm");
myRealm.put("tobechanged", "tobechanged");
myRealm.addUserToRole("tobechanged", "superuser");
SecurityHandler securityHandler = new SecurityHandler();
securityHandler.setUserRealm(myRealm);
ConstraintMapping constraintMapping = new ConstraintMapping();
constraintMapping.setConstraint(constraint);
constraintMapping.setPathSpec("/*");
securityHandler.setConstraintMappings(new ConstraintMapping[] {constraintMapping});
return securityHandler;
}
/**
* Method to start the Jetty server
*
* @param jobDataMap
*/
private void startServer(JobDataMap jobDataMap) {
if (LOG.isDebugEnabled()) {
LOG.debug("Initialising HTTP server");
}
int port = Integer.parseInt(jobDataMap.getString("port"));
String bindAddress = jobDataMap.getString("bindAddress");
String authConfigFile = jobDataMap.getString("authConfigFile");
String keystore = jobDataMap.getString("keystore");
Server server = new Server();
if (keystore == null || keystore.equals("")) {
LOG.info("Starting with HTTP (non-encrypted) protocol");
SelectChannelConnector connector = new SelectChannelConnector();
connector.setHost(bindAddress);
connector.setPort(port);
server.addConnector(connector);
} else {
LOG.info("Starting with HTTPS (encrypted) protocol");
SslSocketConnector sslConnector = new SslSocketConnector();
sslConnector.setHost(bindAddress);
sslConnector.setPort(port);
sslConnector.setKeystore(jobDataMap.getString("keystore"));
sslConnector.setKeyPassword(jobDataMap.getString("keyPassword"));
sslConnector.setTruststore(jobDataMap.getString("trustStore"));
sslConnector.setTrustPassword(jobDataMap.getString("trustPassword"));
sslConnector.setPassword(jobDataMap.getString("password"));
server.addConnector(sslConnector);
}
if (authConfigFile != null && !(authConfigFile.equals(""))) {
if (LOG.isDebugEnabled()) {
LOG.debug("Requiring basic auth");
}
Constraint constraint = new Constraint();
constraint.setName(Constraint.__BASIC_AUTH);
;
constraint.setRoles(new String[] {"user", "grouper"});
constraint.setAuthenticate(true);
ConstraintMapping cm = new ConstraintMapping();
cm.setConstraint(constraint);
cm.setPathSpec("/*");
SecurityHandler sh = new SecurityHandler();
try {
sh.setUserRealm(new HashUserRealm("Grouper", authConfigFile));
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
sh.setConstraintMappings(new ConstraintMapping[] {cm});
Handler[] handlers = new Handler[] {sh, new EsbHttpHandler()};
server.setHandlers(handlers);
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("Not requiring basic auth");
}
server.setHandler(new EsbHttpHandler());
}
try {
server.start();
LOG.info("HTTP server started on address " + bindAddress + " port " + port);
server.join();
} catch (Exception e) {
e.printStackTrace();
}
}
private synchronized void enableRemoteAccess() throws Exception {
if (remoteAccessForward == null) {
logger.fine("enabling remote access");
Connector connector = new SelectChannelConnector();
connector.setHost(LOCALHOST);
connector.setPort(Constants.LOCAL_WEB_SERVER_PORT_AUTH);
authenticatedServer = new Server();
authenticatedServer.addConnector(connector);
// sets the thread pool (just so it is deamon=true)
QueuedThreadPool threadPool = new QueuedThreadPool();
threadPool.setMinThreads(5);
// threadPool.setMaxThreads(10);
threadPool.setName("Auth Jetty thread pool");
threadPool.setDaemon(true);
authenticatedServer.setThreadPool(threadPool);
Constraint constraint = new Constraint();
constraint.setName(Constraint.__BASIC_AUTH);
constraint.setRoles(new String[] {"remote_user"});
constraint.setAuthenticate(true);
ConstraintMapping cm = new ConstraintMapping();
cm.setConstraint(constraint);
cm.setPathSpec("/*");
SecurityHandler securityHandler = new SecurityHandler();
securityHandler.setUserRealm(
new ExtraSaltHashUserRealm(
RemoteAccessConfig.usesMD5Sha1Password(),
"OneSwarm Remote",
RemoteAccessConfig.REMOTE_ACCESS_FILE.getCanonicalPath()));
securityHandler.setConstraintMappings(new ConstraintMapping[] {cm});
ContextHandlerCollection contexts = new ContextHandlerCollection();
authenticatedServer.setHandler(contexts);
Context root = new Context(contexts, "/", Context.NO_SESSIONS);
root.addFilter(new FilterHolder(new GzipFilter()), "/*", Handler.ALL);
MultiHandler mh = new MultiHandler(coreInterface, true);
if (System.getProperty("com.sun.management.jmxremote") != null) {
RequestLogHandler requestLogHandler = new RequestLogHandler();
NCSARequestLog requestLog = new NCSARequestLog("/tmp/jetty-yyyy_mm_dd.remoterequest.log");
requestLog.setRetainDays(1);
requestLog.setAppend(false);
requestLog.setExtended(true);
requestLog.setLogTimeZone("GMT");
requestLogHandler.setRequestLog(requestLog);
HandlerCollection handlers = new HandlerCollection();
handlers.setHandlers(new Handler[] {mh, requestLogHandler});
root.setHandler(handlers);
} else {
root.setHandler(mh);
}
root.addHandler(securityHandler);
// make sure that the class loader can find all classes in the
// osgwtui
// plugin dir...
root.setClassLoader(pluginInterface.getPluginClassLoader());
authenticatedServer.start();
remoteAccessForward = new RemoteAccessForward();
remoteAccessForward.start();
logger.fine("remote access enabled");
}
coreInterface.setRemoteAccess(remoteAccessForward);
}
