Пример #1
0
  /** Set up basic security constraints for the webapp. Add all users and passwords. */
  static void initialize(RouterContext ctx, WebAppContext context) {
    SecurityHandler sec = new SecurityHandler();
    List<ConstraintMapping> constraints = new ArrayList(4);
    ConsolePasswordManager mgr = new ConsolePasswordManager(ctx);
    boolean enable = ctx.getBooleanProperty(PROP_PW_ENABLE);
    if (enable) {
      Map<String, String> userpw = mgr.getMD5(PROP_CONSOLE_PW);
      if (userpw.isEmpty()) {
        enable = false;
        ctx.router().saveConfig(PROP_CONSOLE_PW, "false");
      } else {
        HashUserRealm realm = new HashUserRealm(JETTY_REALM);
        sec.setUserRealm(realm);
        sec.setAuthenticator(authenticator);
        for (Map.Entry<String, String> e : userpw.entrySet()) {
          String user = e.getKey();
          String pw = e.getValue();
          realm.put(user, MD5.__TYPE + pw);
          realm.addUserToRole(user, JETTY_ROLE);
          Constraint constraint = new Constraint(user, JETTY_ROLE);
          constraint.setAuthenticate(true);
          ConstraintMapping cm = new ConstraintMapping();
          cm.setConstraint(constraint);
          cm.setPathSpec("/");
          constraints.add(cm);
        }
      }
    }

    // This forces a '403 Forbidden' response for TRACE and OPTIONS unless the
    // WAC handler handles it.
    // (LocaleWebAppHandler returns a '405 Method Not Allowed')
    // TRACE and OPTIONS aren't really security issues...
    // TRACE doesn't echo stuff unless you call setTrace(true)
    // But it might bug some people
    // The other strange methods - PUT, DELETE, MOVE - are disabled by default
    // See also:
    // http://old.nabble.com/Disable-HTTP-TRACE-in-Jetty-5.x-td12412607.html

    Constraint sc = new Constraint();
    sc.setName("No trace");
    ConstraintMapping cm = new ConstraintMapping();
    cm.setMethod("TRACE");
    cm.setConstraint(sc);
    cm.setPathSpec("/");
    constraints.add(cm);

    sc = new Constraint();
    sc.setName("No options");
    cm = new ConstraintMapping();
    cm.setMethod("OPTIONS");
    cm.setConstraint(sc);
    cm.setPathSpec("/");
    constraints.add(cm);

    ConstraintMapping cmarr[] = constraints.toArray(new ConstraintMapping[constraints.size()]);
    sec.setConstraintMappings(cmarr);

    context.setSecurityHandler(sec);
  }
Пример #2
0
 private void updateSettings() {
   _doLog = _context.getBooleanProperty(PROP_KEEP_MESSAGE_HISTORY);
   _historyFile =
       _context.getProperty(PROP_MESSAGE_HISTORY_FILENAME, DEFAULT_MESSAGE_HISTORY_FILENAME);
 }
Пример #3
0
 /** @since 0.9.9 */
 public boolean isAdvanced() {
   return _context.getBooleanProperty(PROP_ADVANCED);
 }
Пример #4
0
 /**
  * Is a boolean property set to true?
  *
  * @param prop must default to false
  * @return non-null, either "" or " checked=\"checked\" "
  * @since 0.9.24 consolidated from various helpers
  */
 protected String getChecked(String prop) {
   if (_context.getBooleanProperty(prop)) return CHECKED;
   return "";
 }
Пример #5
0
 /**
  * Only called at startup via LoadRouterInfoJob and RebuildRouterInfoJob. Not called by periodic
  * RepublishLocalRouterInfoJob. We don't want to change the cert on the fly as it changes the
  * router hash. RouterInfo.isHidden() checks the capability, but RouterIdentity.isHidden() checks
  * the cert. There's no reason to ever add a hidden cert?
  *
  * @return the certificate for a new RouterInfo - probably a null cert.
  * @since 0.9.16 moved from Router
  */
 static Certificate createCertificate(RouterContext ctx, SigningPublicKey spk) {
   if (spk.getType() != SigType.DSA_SHA1) return new KeyCertificate(spk);
   if (ctx.getBooleanProperty(Router.PROP_HIDDEN))
     return new Certificate(Certificate.CERTIFICATE_TYPE_HIDDEN, null);
   return Certificate.NULL_CERT;
 }