You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by an...@apache.org on 2014/01/31 15:28:51 UTC
svn commit: r1563139 - in /jena/branches/jena-fuseki-new-ui: ./
src/main/java/org/apache/jena/fuseki/
src/main/java/org/apache/jena/fuseki/authz/
Author: andy
Date: Fri Jan 31 14:28:51 2014
New Revision: 1563139
URL: http://svn.apache.org/r1563139
Log:
Restrict admin functions to localhost (except /$/status and /$/ping).
Added:
jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/
jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/AuthorizationFilter403.java
jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/LocalhostFilter.java
Modified:
jena/branches/jena-fuseki-new-ui/shiro.ini
jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/FusekiCmd.java
Modified: jena/branches/jena-fuseki-new-ui/shiro.ini
URL: http://svn.apache.org/viewvc/jena/branches/jena-fuseki-new-ui/shiro.ini?rev=1563139&r1=1563138&r2=1563139&view=diff
==============================================================================
--- jena/branches/jena-fuseki-new-ui/shiro.ini (original)
+++ jena/branches/jena-fuseki-new-ui/shiro.ini Fri Jan 31 14:28:51 2014
@@ -3,12 +3,13 @@
ssl.enabled = false
plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher
-
#iniRealm=org.apache.shiro.realm.text.IniRealm
iniRealm.credentialsMatcher = $plainMatcher
+localhost=org.apache.jena.fuseki.authz.LocalhostFilter
+
[users]
-# Implitly adds "iniRealm = org.apache.shiro.realm.text.IniRealm"
+# Implicitly adds "iniRealm = org.apache.shiro.realm.text.IniRealm"
admin=pw
[roles]
@@ -16,11 +17,18 @@ admin=pw
[urls]
## Control functions open to anyone
/$/status = anon
+/$/ping = anon
+
+## and the rest are restricted
+/$/** = localhost
-## and those restricted.
+
+## If you want simple, basic authentication user/password on the operations,
+## change the line about to:
## /$/** = authcBasic,user[admin]
-/$/** = anon
-# Everything else.
-/**=anon
+## or to allow any access.
+##/$/** = anon
+# Everything else
+/**=anon
Modified: jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/FusekiCmd.java
URL: http://svn.apache.org/viewvc/jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/FusekiCmd.java?rev=1563139&r1=1563138&r2=1563139&view=diff
==============================================================================
--- jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/FusekiCmd.java (original)
+++ jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/FusekiCmd.java Fri Jan 31 14:28:51 2014
@@ -226,8 +226,7 @@ public class FusekiCmd extends CmdARQ {
add(argAllowUpdate, "--update", "Allow updates (via SPARQL Update and SPARQL HTTP Update)") ;
add(argFusekiConfig, "--config=", "Use a configuration file to determine the services") ;
add(argJettyConfig, "--jetty-config=FILE", "Set up the server (not services) with a Jetty XML file") ;
- add(argBasicAuth, "--basic-auth=FILE",
- "Configure basic auth using provided Jetty realm file, ignored if --jetty-config is used") ;
+ add(argBasicAuth) ;
add(argMgt, "--mgt", "Enable the management commands") ;
add(argMgtPort, "--mgtPort=port", "Port for management optations") ;
add(argHome, "--home=DIR", "Root of Fuseki installation (overrides environment variable FUSEKI_HOME)") ;
@@ -343,6 +342,9 @@ public class FusekiCmd extends CmdARQ {
}
// ---- Jetty server
+ if ( contains(argBasicAuth) )
+ Fuseki.configLog.warn("--basic-auth ignored: Use Apache Shiro security - see shiro.ini") ;
+
if ( contains(argPort) ) {
String portStr = getValue(argPort) ;
try {
Added: jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/AuthorizationFilter403.java
URL: http://svn.apache.org/viewvc/jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/AuthorizationFilter403.java?rev=1563139&view=auto
==============================================================================
--- jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/AuthorizationFilter403.java (added)
+++ jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/AuthorizationFilter403.java Fri Jan 31 14:28:51 2014
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.jena.fuseki.authz;
+
+import java.io.IOException ;
+
+import javax.servlet.ServletRequest ;
+import javax.servlet.ServletResponse ;
+import javax.servlet.http.HttpServletResponse ;
+
+import org.apache.jena.web.HttpSC ;
+import org.apache.shiro.web.filter.authz.AuthorizationFilter ;
+import org.apache.shiro.web.util.WebUtils ;
+
+/** Specialise AuthorizationFilter to yield HTTP 403 on access denied */
+public abstract class AuthorizationFilter403 extends AuthorizationFilter
+{
+ private String message ;
+
+ protected AuthorizationFilter403(String text) { setMessage(text) ; }
+
+ /** Set the message used in HTTP 403 responses */
+ public void setMessage(String msg) { message = msg ; }
+
+ public String getMessage() { return message ; }
+
+ @Override
+ protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
+ HttpServletResponse httpResponse ;
+ try { httpResponse = WebUtils.toHttp(response); }
+ catch (ClassCastException ex) {
+ // Not a HTTP Servlet operation
+ return super.onAccessDenied(request, response) ;
+ }
+ httpResponse.sendError(HttpSC.FORBIDDEN_403, message) ;
+ return false ; // No further processing.
+ }
+}
+
Added: jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/LocalhostFilter.java
URL: http://svn.apache.org/viewvc/jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/LocalhostFilter.java?rev=1563139&view=auto
==============================================================================
--- jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/LocalhostFilter.java (added)
+++ jena/branches/jena-fuseki-new-ui/src/main/java/org/apache/jena/fuseki/authz/LocalhostFilter.java Fri Jan 31 14:28:51 2014
@@ -0,0 +1,64 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.jena.fuseki.authz;
+
+import javax.servlet.ServletRequest ;
+import javax.servlet.ServletResponse ;
+
+import org.apache.shiro.web.filter.authz.PortFilter ;
+
+/**
+ * A Filter that can allow or deny access based on whether the
+ * the host that sent the request is the loopback address (AKA localhost).
+ * Use of the external IP address of the local machine does not permit access,
+ * only the loopback interface is authorized.
+ * Responds with HTTP 403 on any denied request.
+ *
+ * Example:
+ * <pre>
+ * [main]
+ * localhost=org.apache.shiro.web.filter.authz.LocalhostFilter
+ * ...
+ * [urls]
+ * /localFilesforLocalPeople/** = localhost
+ * </pre>
+ * @see PortFilter
+ */
+
+public class LocalhostFilter extends AuthorizationFilter403 {
+
+ private static final String message = "Access denied : only localhost access allowed" ;
+
+ public LocalhostFilter() { super(message); }
+
+ private static String LOCALHOST_IpV6 = "0:0:0:0:0:0:0:1" ;
+ private static String LOCALHOST_IpV4 = "127.0.0.1" ; // Strictly, 127.*.*.*
+
+ @Override
+ protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
+ String remoteAddr = request.getRemoteAddr() ;
+ if ( LOCALHOST_IpV6.equals(remoteAddr) || LOCALHOST_IpV4.equals(remoteAddr) )
+ return true ;
+ return false ;
+ }
+
+
+}
+
+