managementservice.java

来自「RESIN 3.2 最新源码」· Java 代码 · 共 256 行

/*
 * Copyright (c) 1998-2008 Caucho Technology -- all rights reserved
 *
 * This file is part of Resin(R) Open Source
 *
 * Each copy or derived work must preserve the copyright notice and this
 * notice unmodified.
 *
 * Resin Open Source is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * Resin Open Source is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE, or any warranty
 * of NON-INFRINGEMENT.  See the GNU General Public License for more
 * details.
 *
 * You should have received a copy of the GNU General Public License
 * along with Resin Open Source; if not, write to the
 *
 *   Free Software Foundation, Inc.
 *   59 Temple Place, Suite 330
 *   Boston, MA 02111-1307  USA
 *
 * @author Sam
 */

package com.caucho.server.admin;

import com.caucho.config.ConfigException;
import com.caucho.config.program.ContainerProgram;
import com.caucho.config.program.PropertyValueProgram;
import com.caucho.config.types.RawString;
import com.caucho.server.dispatch.ServletMapping;
import com.caucho.server.hmux.HmuxRequest;
import com.caucho.server.host.HostConfig;
import com.caucho.server.security.AbstractConstraint;
import com.caucho.server.security.SecurityConstraint;
import com.caucho.server.webapp.WebAppConfig;
import com.caucho.util.InetNetwork;
import com.caucho.util.L10N;

import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Enumeration;
import java.util.logging.Logger;

abstract public class ManagementService
{
  private static final L10N L = new L10N(ManagementService.class);
  protected final Logger log = Logger.getLogger(getClass().getName());

  private final Management _management;
  private final String _serviceName;

  private String _password;

  private InetNetwork[]_allowedNetworks;

  protected ManagementService(Management management, String serviceName)
  {
    _management = management;
    _serviceName = serviceName;
  }

  public void start()
  {
    _password = _management.getRemoteCookie();
    
    if (_password == null) {
      log.warning(L.l("jmx-remote disabled.  jmx-remote requires at least one enabled management <user>"));
      return;
    }
    
    HostConfig hostConfig = _management.getHostConfig();

    WebAppConfig webAppConfig = new WebAppConfig();
    webAppConfig.setId(_serviceName);
    webAppConfig.setRootDirectory(new RawString("/admin-dummy-root"));

    hostConfig.addBuilderProgram(new PropertyValueProgram("web-app", webAppConfig));

    ServletMapping servlet = new ServletMapping();

    servlet.setServletName(_serviceName);
    servlet.addURLPattern("/*");
    servlet.addURLRegexp(".*");
    servlet.setServletClass(ManagementServlet.class.getName());

    ContainerProgram servletInit = new ContainerProgram();
    servletInit.addProgram(new PropertyValueProgram("service", this));
    servlet.setInit(servletInit);

    webAppConfig.addBuilderProgram(new PropertyValueProgram("servlet-mapping", servlet));

    SecurityConstraint constraint = new SecurityConstraint();
    constraint.setURLPattern("/*");
    constraint.addConstraint(new HmuxConstraint(this));
    constraint.init();
    webAppConfig.addBuilderProgram(new PropertyValueProgram("security-constraint", constraint));

    try {
      _allowedNetworks = new InetNetwork[] {
        new InetNetwork(InetAddress.getByName("127.0.0.1"), 24),
        new InetNetwork(InetAddress.getByName("10.0.0.0"), 24),
        new InetNetwork(InetAddress.getByName("172.16.0.0"), 20),
        new InetNetwork(InetAddress.getByName("192.168.0.0"), 16),
      };
    } catch (UnknownHostException e) {
      throw new RuntimeException(e);
    }
  }

  // first stage security - security constraint authorization
  public boolean isAuthorized(HttpServletRequest request,
			      HttpServletResponse response,
                              ServletContext application)
    throws ServletException, IOException
  {
    // The order of tests is important for the QA, see server/2e2-

    HttpServletResponse res = (HttpServletResponse) response;

    if (! (request instanceof HmuxRequest)) {
      log.warning(L.l("{0} attempt with non-hmux-request '{1}' from ip {2}",
                      _serviceName, request, request.getRemoteAddr()));

      res.sendError(HttpServletResponse.SC_NOT_FOUND);
      return false;
    }

    HmuxRequest hmuxRequest = (HmuxRequest) request;

    if (!request.getServletPath().equals("")) {
      log.warning(L.l("{0} attempt with invalid servlet-path '{1}' from address '{2}'",
                     _serviceName, request.getServletPath(), request.getRemoteAddr()));

      res.sendError(HttpServletResponse.SC_NOT_FOUND);
      return false;

    }

    if (request.getPathInfo() != null) {
      log.warning(L.l("{0} attempt with invalid path-info '{1}' from address '{2}'",
                      _serviceName, request.getPathInfo(), request.getRemoteAddr()));

      res.sendError(HttpServletResponse.SC_NOT_FOUND);
      return false;

    }

    // The remote test needs to be last to allow the other QA to work properly
    // XXX: this should be configurable, i.e. setReadConstraints and setWriteConstraints

    String remoteAddr = hmuxRequest.getRemoteAddr();

    boolean isValidAddr = false;
    for (int i = 0; i < _allowedNetworks.length; i++) {
      if (_allowedNetworks[i].isMatch(remoteAddr))
        isValidAddr = true;
    }

    if (! isValidAddr) {
      log.warning(L.l("{0} attempt from invalid address '{1}'",
                      _serviceName, remoteAddr));

      res.sendError(HttpServletResponse.SC_NOT_FOUND);
      return false;
    }

    return true;
  }

  // second stage security - read/write permission

  private boolean isRequestAllowed(ServletRequest request, ServletResponse response)
    throws IOException, ServletException
  {
    HttpServletResponse res = (HttpServletResponse) response;

    // check attributes for evidence of forward, includes, error page handling
    Enumeration<String> attributeNames = request.getAttributeNames();

    while (attributeNames.hasMoreElements()) {
      String  attributeName = attributeNames.nextElement();

      if (attributeName.equals("javax.servlet.request.X509Certificate"))
        continue;
      
      log.warning(L.l("management service request attribute '{0}' invalidates request",
                      attributeName));

      res.sendError(HttpServletResponse.SC_NOT_FOUND);
      return false;
    }

    return true;
  }

  protected boolean isReadAllowed(ServletRequest request, ServletResponse response)
    throws IOException, ServletException
  {
    if (!isRequestAllowed(request, response))
      return false;

    return true;
  }

  protected boolean isWriteAllowed(ServletRequest request, ServletResponse response)
    throws IOException, ServletException
  {
    if (!isRequestAllowed(request, response))
      return false;

    return true;
  }

  abstract public void service(ServletRequest request, ServletResponse response)
    throws IOException, ServletException;

  public String toString()
  {
    return (getClass().getSimpleName()
	    + "[" + _serviceName
	    + "," + _management.getServerId() + "]");
  }

  private static class HmuxConstraint
    extends AbstractConstraint
  {
    private final ManagementService _service;

    public HmuxConstraint(ManagementService service)
    {
      _service = service;
    }

    public boolean isAuthorized(HttpServletRequest request,
                                HttpServletResponse response,
                                ServletContext application)
      throws ServletException, IOException
    {
      return _service.isAuthorized(request, response, application);
    }
  }
}