/** Set up basic security constraints for the webapp. Add all users and passwords. */ static void initialize(RouterContext ctx, WebAppContext context) { SecurityHandler sec = new SecurityHandler(); List<ConstraintMapping> constraints = new ArrayList(4); ConsolePasswordManager mgr = new ConsolePasswordManager(ctx); boolean enable = ctx.getBooleanProperty(PROP_PW_ENABLE); if (enable) { Map<String, String> userpw = mgr.getMD5(PROP_CONSOLE_PW); if (userpw.isEmpty()) { enable = false; ctx.router().saveConfig(PROP_CONSOLE_PW, "false"); } else { HashUserRealm realm = new HashUserRealm(JETTY_REALM); sec.setUserRealm(realm); sec.setAuthenticator(authenticator); for (Map.Entry<String, String> e : userpw.entrySet()) { String user = e.getKey(); String pw = e.getValue(); realm.put(user, MD5.__TYPE + pw); realm.addUserToRole(user, JETTY_ROLE); Constraint constraint = new Constraint(user, JETTY_ROLE); constraint.setAuthenticate(true); ConstraintMapping cm = new ConstraintMapping(); cm.setConstraint(constraint); cm.setPathSpec("/"); constraints.add(cm); } } } // This forces a '403 Forbidden' response for TRACE and OPTIONS unless the // WAC handler handles it. // (LocaleWebAppHandler returns a '405 Method Not Allowed') // TRACE and OPTIONS aren't really security issues... // TRACE doesn't echo stuff unless you call setTrace(true) // But it might bug some people // The other strange methods - PUT, DELETE, MOVE - are disabled by default // See also: // http://old.nabble.com/Disable-HTTP-TRACE-in-Jetty-5.x-td12412607.html Constraint sc = new Constraint(); sc.setName("No trace"); ConstraintMapping cm = new ConstraintMapping(); cm.setMethod("TRACE"); cm.setConstraint(sc); cm.setPathSpec("/"); constraints.add(cm); sc = new Constraint(); sc.setName("No options"); cm = new ConstraintMapping(); cm.setMethod("OPTIONS"); cm.setConstraint(sc); cm.setPathSpec("/"); constraints.add(cm); ConstraintMapping cmarr[] = constraints.toArray(new ConstraintMapping[constraints.size()]); sec.setConstraintMappings(cmarr); context.setSecurityHandler(sec); }
/** * Method to start the Jetty server * * @param jobDataMap */ private void startServer(JobDataMap jobDataMap) { if (LOG.isDebugEnabled()) { LOG.debug("Initialising HTTP server"); } int port = Integer.parseInt(jobDataMap.getString("port")); String bindAddress = jobDataMap.getString("bindAddress"); String authConfigFile = jobDataMap.getString("authConfigFile"); String keystore = jobDataMap.getString("keystore"); Server server = new Server(); if (keystore == null || keystore.equals("")) { LOG.info("Starting with HTTP (non-encrypted) protocol"); SelectChannelConnector connector = new SelectChannelConnector(); connector.setHost(bindAddress); connector.setPort(port); server.addConnector(connector); } else { LOG.info("Starting with HTTPS (encrypted) protocol"); SslSocketConnector sslConnector = new SslSocketConnector(); sslConnector.setHost(bindAddress); sslConnector.setPort(port); sslConnector.setKeystore(jobDataMap.getString("keystore")); sslConnector.setKeyPassword(jobDataMap.getString("keyPassword")); sslConnector.setTruststore(jobDataMap.getString("trustStore")); sslConnector.setTrustPassword(jobDataMap.getString("trustPassword")); sslConnector.setPassword(jobDataMap.getString("password")); server.addConnector(sslConnector); } if (authConfigFile != null && !(authConfigFile.equals(""))) { if (LOG.isDebugEnabled()) { LOG.debug("Requiring basic auth"); } Constraint constraint = new Constraint(); constraint.setName(Constraint.__BASIC_AUTH); ; constraint.setRoles(new String[] {"user", "grouper"}); constraint.setAuthenticate(true); ConstraintMapping cm = new ConstraintMapping(); cm.setConstraint(constraint); cm.setPathSpec("/*"); SecurityHandler sh = new SecurityHandler(); try { sh.setUserRealm(new HashUserRealm("Grouper", authConfigFile)); } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); } sh.setConstraintMappings(new ConstraintMapping[] {cm}); Handler[] handlers = new Handler[] {sh, new EsbHttpHandler()}; server.setHandlers(handlers); } else { if (LOG.isDebugEnabled()) { LOG.debug("Not requiring basic auth"); } server.setHandler(new EsbHttpHandler()); } try { server.start(); LOG.info("HTTP server started on address " + bindAddress + " port " + port); server.join(); } catch (Exception e) { e.printStackTrace(); } }
private synchronized void enableRemoteAccess() throws Exception { if (remoteAccessForward == null) { logger.fine("enabling remote access"); Connector connector = new SelectChannelConnector(); connector.setHost(LOCALHOST); connector.setPort(Constants.LOCAL_WEB_SERVER_PORT_AUTH); authenticatedServer = new Server(); authenticatedServer.addConnector(connector); // sets the thread pool (just so it is deamon=true) QueuedThreadPool threadPool = new QueuedThreadPool(); threadPool.setMinThreads(5); // threadPool.setMaxThreads(10); threadPool.setName("Auth Jetty thread pool"); threadPool.setDaemon(true); authenticatedServer.setThreadPool(threadPool); Constraint constraint = new Constraint(); constraint.setName(Constraint.__BASIC_AUTH); constraint.setRoles(new String[] {"remote_user"}); constraint.setAuthenticate(true); ConstraintMapping cm = new ConstraintMapping(); cm.setConstraint(constraint); cm.setPathSpec("/*"); SecurityHandler securityHandler = new SecurityHandler(); securityHandler.setUserRealm( new ExtraSaltHashUserRealm( RemoteAccessConfig.usesMD5Sha1Password(), "OneSwarm Remote", RemoteAccessConfig.REMOTE_ACCESS_FILE.getCanonicalPath())); securityHandler.setConstraintMappings(new ConstraintMapping[] {cm}); ContextHandlerCollection contexts = new ContextHandlerCollection(); authenticatedServer.setHandler(contexts); Context root = new Context(contexts, "/", Context.NO_SESSIONS); root.addFilter(new FilterHolder(new GzipFilter()), "/*", Handler.ALL); MultiHandler mh = new MultiHandler(coreInterface, true); if (System.getProperty("com.sun.management.jmxremote") != null) { RequestLogHandler requestLogHandler = new RequestLogHandler(); NCSARequestLog requestLog = new NCSARequestLog("/tmp/jetty-yyyy_mm_dd.remoterequest.log"); requestLog.setRetainDays(1); requestLog.setAppend(false); requestLog.setExtended(true); requestLog.setLogTimeZone("GMT"); requestLogHandler.setRequestLog(requestLog); HandlerCollection handlers = new HandlerCollection(); handlers.setHandlers(new Handler[] {mh, requestLogHandler}); root.setHandler(handlers); } else { root.setHandler(mh); } root.addHandler(securityHandler); // make sure that the class loader can find all classes in the // osgwtui // plugin dir... root.setClassLoader(pluginInterface.getPluginClassLoader()); authenticatedServer.start(); remoteAccessForward = new RemoteAccessForward(); remoteAccessForward.start(); logger.fine("remote access enabled"); } coreInterface.setRemoteAccess(remoteAccessForward); }