/** Set up basic security constraints for the webapp. Add all users and passwords. */
static void initialize(RouterContext ctx, WebAppContext context) {
SecurityHandler sec = new SecurityHandler();
List<ConstraintMapping> constraints = new ArrayList(4);
ConsolePasswordManager mgr = new ConsolePasswordManager(ctx);
boolean enable = ctx.getBooleanProperty(PROP_PW_ENABLE);
if (enable) {
Map<String, String> userpw = mgr.getMD5(PROP_CONSOLE_PW);
if (userpw.isEmpty()) {
enable = false;
ctx.router().saveConfig(PROP_CONSOLE_PW, "false");
} else {
HashUserRealm realm = new HashUserRealm(JETTY_REALM);
sec.setUserRealm(realm);
sec.setAuthenticator(authenticator);
for (Map.Entry<String, String> e : userpw.entrySet()) {
String user = e.getKey();
String pw = e.getValue();
realm.put(user, MD5.__TYPE + pw);
realm.addUserToRole(user, JETTY_ROLE);
Constraint constraint = new Constraint(user, JETTY_ROLE);
constraint.setAuthenticate(true);
ConstraintMapping cm = new ConstraintMapping();
cm.setConstraint(constraint);
cm.setPathSpec("/");
constraints.add(cm);
}
}
}
// This forces a '403 Forbidden' response for TRACE and OPTIONS unless the
// WAC handler handles it.
// (LocaleWebAppHandler returns a '405 Method Not Allowed')
// TRACE and OPTIONS aren't really security issues...
// TRACE doesn't echo stuff unless you call setTrace(true)
// But it might bug some people
// The other strange methods - PUT, DELETE, MOVE - are disabled by default
// See also:
// http://old.nabble.com/Disable-HTTP-TRACE-in-Jetty-5.x-td12412607.html
Constraint sc = new Constraint();
sc.setName("No trace");
ConstraintMapping cm = new ConstraintMapping();
cm.setMethod("TRACE");
cm.setConstraint(sc);
cm.setPathSpec("/");
constraints.add(cm);
sc = new Constraint();
sc.setName("No options");
cm = new ConstraintMapping();
cm.setMethod("OPTIONS");
cm.setConstraint(sc);
cm.setPathSpec("/");
constraints.add(cm);
ConstraintMapping cmarr[] = constraints.toArray(new ConstraintMapping[constraints.size()]);
sec.setConstraintMappings(cmarr);
context.setSecurityHandler(sec);
}
private void updateSettings() {
_doLog = _context.getBooleanProperty(PROP_KEEP_MESSAGE_HISTORY);
_historyFile =
_context.getProperty(PROP_MESSAGE_HISTORY_FILENAME, DEFAULT_MESSAGE_HISTORY_FILENAME);
}
/** @since 0.9.9 */
public boolean isAdvanced() {
return _context.getBooleanProperty(PROP_ADVANCED);
}
/**
* Is a boolean property set to true?
*
* @param prop must default to false
* @return non-null, either "" or " checked=\"checked\" "
* @since 0.9.24 consolidated from various helpers
*/
protected String getChecked(String prop) {
if (_context.getBooleanProperty(prop)) return CHECKED;
return "";
}
/**
* Only called at startup via LoadRouterInfoJob and RebuildRouterInfoJob. Not called by periodic
* RepublishLocalRouterInfoJob. We don't want to change the cert on the fly as it changes the
* router hash. RouterInfo.isHidden() checks the capability, but RouterIdentity.isHidden() checks
* the cert. There's no reason to ever add a hidden cert?
*
* @return the certificate for a new RouterInfo - probably a null cert.
* @since 0.9.16 moved from Router
*/
static Certificate createCertificate(RouterContext ctx, SigningPublicKey spk) {
if (spk.getType() != SigType.DSA_SHA1) return new KeyCertificate(spk);
if (ctx.getBooleanProperty(Router.PROP_HIDDEN))
return new Certificate(Certificate.CERTIFICATE_TYPE_HIDDEN, null);
return Certificate.NULL_CERT;
}