You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by an...@apache.org on 2014/01/31 15:28:51 UTC

svn commit: r1563139 - in /jena/branches/jena-fuseki-new-ui: ./ src/main/java/org/apache/jena/fuseki/ src/main/java/org/apache/jena/fuseki/authz/

Author: andy
Date: Fri Jan 31 14:28:51 2014
New Revision: 1563139

URL: http://svn.apache.org/r1563139
Log:
Restrict admin functions to localhost (except /$/status and /$/ping).

Added:
    jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/
    jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/AuthorizationFilter403.java
    jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/LocalhostFilter.java
Modified:
    jena/branches/jena-fuseki-new-ui/shiro.ini
    jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/FusekiCmd.java

Modified: jena/branches/jena-fuseki-new-ui/shiro.ini
URL: http://svn.apache.org/viewvc/jena/branches/jena-fuseki-new-ui/shiro.ini?rev=1563139&r1=1563138&r2=1563139&view=diff
==============================================================================
--- jena/branches/jena-fuseki-new-ui/shiro.ini (original)
+++ jena/branches/jena-fuseki-new-ui/shiro.ini Fri Jan 31 14:28:51 2014
@@ -3,12 +3,13 @@
 ssl.enabled = false 
 
 plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher
-
 #iniRealm=org.apache.shiro.realm.text.IniRealm 
 iniRealm.credentialsMatcher = $plainMatcher
 
+localhost=org.apache.jena.fuseki.authz.LocalhostFilter
+
 [users]
-# Implitly adds "iniRealm =  org.apache.shiro.realm.text.IniRealm"
+# Implicitly adds "iniRealm =  org.apache.shiro.realm.text.IniRealm"
 admin=pw
 
 [roles]
@@ -16,11 +17,18 @@ admin=pw
 [urls]
 ## Control functions open to anyone
 /$/status = anon
+/$/ping   = anon
+
+## and the rest are restricted
+/$/** = localhost
 
-## and those restricted.
+
+## If you want simple, basic authentication user/password on the operations,
+## change the line about to:
 ## /$/** = authcBasic,user[admin]
-/$/** = anon
 
-# Everything else.
-/**=anon
+## or to allow any access.
+##/$/** = anon
 
+# Everything else
+/**=anon

Modified: jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/FusekiCmd.java
URL: http://svn.apache.org/viewvc/jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/FusekiCmd.java?rev=1563139&r1=1563138&r2=1563139&view=diff
==============================================================================
--- jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/FusekiCmd.java (original)
+++ jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/FusekiCmd.java Fri Jan 31 14:28:51 2014
@@ -226,8 +226,7 @@ public class FusekiCmd extends CmdARQ {
         add(argAllowUpdate, "--update", "Allow updates (via SPARQL Update and SPARQL HTTP Update)") ;
         add(argFusekiConfig, "--config=", "Use a configuration file to determine the services") ;
         add(argJettyConfig, "--jetty-config=FILE", "Set up the server (not services) with a Jetty XML file") ;
-        add(argBasicAuth, "--basic-auth=FILE",
-            "Configure basic auth using provided Jetty realm file, ignored if --jetty-config is used") ;
+        add(argBasicAuth) ;
         add(argMgt,     "--mgt",          "Enable the management commands") ;
         add(argMgtPort, "--mgtPort=port", "Port for management optations") ;
         add(argHome, "--home=DIR", "Root of Fuseki installation (overrides environment variable FUSEKI_HOME)") ;
@@ -343,6 +342,9 @@ public class FusekiCmd extends CmdARQ {
         }
 
         // ---- Jetty server
+        if ( contains(argBasicAuth) )
+            Fuseki.configLog.warn("--basic-auth ignored: Use Apache Shiro security - see shiro.ini") ;
+            
         if ( contains(argPort) ) {
             String portStr = getValue(argPort) ;
             try {

Added: jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/AuthorizationFilter403.java
URL: http://svn.apache.org/viewvc/jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/AuthorizationFilter403.java?rev=1563139&view=auto
==============================================================================
--- jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/AuthorizationFilter403.java (added)
+++ jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/AuthorizationFilter403.java Fri Jan 31 14:28:51 2014
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.jena.fuseki.authz;
+
+import java.io.IOException ;
+
+import javax.servlet.ServletRequest ;
+import javax.servlet.ServletResponse ;
+import javax.servlet.http.HttpServletResponse ;
+
+import org.apache.jena.web.HttpSC ;
+import org.apache.shiro.web.filter.authz.AuthorizationFilter ;
+import org.apache.shiro.web.util.WebUtils ;
+
+/** Specialise AuthorizationFilter to yield HTTP 403 on access denied */ 
+public abstract class AuthorizationFilter403 extends AuthorizationFilter
+{    
+    private String message ;
+
+    protected AuthorizationFilter403(String text) { setMessage(text) ; }
+    
+    /** Set the message used in HTTP 403 responses */
+    public void setMessage(String msg) { message = msg ; }
+    
+    public String getMessage() { return message ; }
+
+    @Override
+    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
+        HttpServletResponse httpResponse ;
+        try { httpResponse = WebUtils.toHttp(response); }
+        catch (ClassCastException ex) { 
+            // Not a HTTP Servlet operation
+            return super.onAccessDenied(request, response) ;
+        }
+        httpResponse.sendError(HttpSC.FORBIDDEN_403, message) ;
+        return false ;  // No further processing.
+    }
+}
+

Added: jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/LocalhostFilter.java
URL: http://svn.apache.org/viewvc/jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/LocalhostFilter.java?rev=1563139&view=auto
==============================================================================
--- jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/LocalhostFilter.java (added)
+++ jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/LocalhostFilter.java Fri Jan 31 14:28:51 2014
@@ -0,0 +1,64 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.jena.fuseki.authz;
+
+import javax.servlet.ServletRequest ;
+import javax.servlet.ServletResponse ;
+
+import org.apache.shiro.web.filter.authz.PortFilter ;
+
+/**
+ * A Filter that can allow or deny access based on whether the
+ * the host that sent the request is the loopback address (AKA localhost).
+ * Use of the external IP address of the local machine does not permit access,
+ * only the loopback interface is authorized.
+ * Responds with HTTP 403 on any denied request.
+ * 
+ * Example:
+ * <pre>
+ * [main]
+ * localhost=org.apache.shiro.web.filter.authz.LocalhostFilter
+ * ...
+ * [urls]
+ * /localFilesforLocalPeople/** = localhost
+ * </pre>
+ * @see PortFilter
+ */
+
+public class LocalhostFilter extends AuthorizationFilter403 {
+    
+    private static final String message = "Access denied : only localhost access allowed" ;   
+    
+    public LocalhostFilter() { super(message); } 
+
+    private static String LOCALHOST_IpV6 =  "0:0:0:0:0:0:0:1" ;
+    private static String LOCALHOST_IpV4 =  "127.0.0.1" ;   // Strictly, 127.*.*.*
+    
+    @Override
+    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
+        String remoteAddr = request.getRemoteAddr() ;
+        if ( LOCALHOST_IpV6.equals(remoteAddr) || LOCALHOST_IpV4.equals(remoteAddr) )
+            return true ;
+        return false ;
+    }
+    
+   
+}
+
+