[jira] Created: (JETTY-1239) HTAccessHandler - allow from 127.0.0.1

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

[jira] Created: (JETTY-1239) HTAccessHandler - allow from 127.0.0.1

JIRA jira@codehaus.org
HTAccessHandler - allow from 127.0.0.1
--------------------------------------

                 Key: JETTY-1239
                 URL: http://jira.codehaus.org/browse/JETTY-1239
             Project: Jetty
          Issue Type: Bug
    Affects Versions: 6.1.22
         Environment: Ubuntu 10.04, OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-0ubuntu1) and Sun JRE 6 (6.20dlj-1ubuntu3)
            Reporter: Anthon Pang


Looks like something is flip-flopped.  (I guess I could try forward-porting IPAccessHandler from jetty 5.)

Remote access isn't blocked at all, while local access is blocked (404 or 403 if GET .htaccess).

I've reduced the test case to this .htaccess:

<Limit>
allow from 127.0.0.1
</Limit>

And this context configuration is:

<Configure id="myContext" class="org.mortbay.jetty.servlet.Context">
  <Set name="resourceBase"><SystemProperty name="jetty.home" default="."/>/webapps/root/</Set>
  <Set name="contextPath">/</Set>
  <Call name="setSecurityHandler">
    <Arg>
      <New class="org.mortbay.jetty.security.HTAccessHandler">
        <Set name="protegee">
          <Ref id="myContext"/>
        </Set>
      </New>
    </Arg>
  </Call>
  <!-- etc -->
</Configure>

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (JETTY-1239) HTAccessHandler - allow from 127.0.0.1

JIRA jira@codehaus.org

    [ http://jira.codehaus.org/browse/JETTY-1239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=226023#action_226023 ]

Michael Gorovoy commented on JETTY-1239:
----------------------------------------

I've been able to reproduce the problem.

> HTAccessHandler - allow from 127.0.0.1
> --------------------------------------
>
>                 Key: JETTY-1239
>                 URL: http://jira.codehaus.org/browse/JETTY-1239
>             Project: Jetty
>          Issue Type: Bug
>    Affects Versions: 6.1.22
>         Environment: Ubuntu 10.04, OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-0ubuntu1) and Sun JRE 6 (6.20dlj-1ubuntu3)
>            Reporter: Anthon Pang
>
> Looks like something is flip-flopped.  (I guess I could try forward-porting IPAccessHandler from jetty 5.)
> Remote access isn't blocked at all, while local access is blocked (404 or 403 if GET .htaccess).
> I've reduced the test case to this .htaccess:
> <Limit>
> allow from 127.0.0.1
> </Limit>
> And this context configuration is:
> <Configure id="myContext" class="org.mortbay.jetty.servlet.Context">
>   <Set name="resourceBase"><SystemProperty name="jetty.home" default="."/>/webapps/root/</Set>
>   <Set name="contextPath">/</Set>
>   <Call name="setSecurityHandler">
>     <Arg>
>       <New class="org.mortbay.jetty.security.HTAccessHandler">
>         <Set name="protegee">
>           <Ref id="myContext"/>
>         </Set>
>       </New>
>     </Arg>
>   </Call>
>   <!-- etc -->
> </Configure>

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

[jira] Assigned: (JETTY-1239) HTAccessHandler - allow from 127.0.0.1

JIRA jira@codehaus.org
In reply to this post by JIRA jira@codehaus.org

     [ http://jira.codehaus.org/browse/JETTY-1239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Gorovoy reassigned JETTY-1239:
--------------------------------------

    Assignee: Michael Gorovoy

> HTAccessHandler - allow from 127.0.0.1
> --------------------------------------
>
>                 Key: JETTY-1239
>                 URL: http://jira.codehaus.org/browse/JETTY-1239
>             Project: Jetty
>          Issue Type: Bug
>    Affects Versions: 6.1.22
>         Environment: Ubuntu 10.04, OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-0ubuntu1) and Sun JRE 6 (6.20dlj-1ubuntu3)
>            Reporter: Anthon Pang
>            Assignee: Michael Gorovoy
>
> Looks like something is flip-flopped.  (I guess I could try forward-porting IPAccessHandler from jetty 5.)
> Remote access isn't blocked at all, while local access is blocked (404 or 403 if GET .htaccess).
> I've reduced the test case to this .htaccess:
> <Limit>
> allow from 127.0.0.1
> </Limit>
> And this context configuration is:
> <Configure id="myContext" class="org.mortbay.jetty.servlet.Context">
>   <Set name="resourceBase"><SystemProperty name="jetty.home" default="."/>/webapps/root/</Set>
>   <Set name="contextPath">/</Set>
>   <Call name="setSecurityHandler">
>     <Arg>
>       <New class="org.mortbay.jetty.security.HTAccessHandler">
>         <Set name="protegee">
>           <Ref id="myContext"/>
>         </Set>
>       </New>
>     </Arg>
>   </Call>
>   <!-- etc -->
> </Configure>

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (JETTY-1239) HTAccessHandler - allow from 127.0.0.1

JIRA jira@codehaus.org
In reply to this post by JIRA jira@codehaus.org

    [ http://jira.codehaus.org/browse/JETTY-1239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=242568#action_242568 ]

Michael Gorovoy commented on JETTY-1239:
----------------------------------------

My apologies for a long delay. I've finally been able to look into it a bit further, and discovered that the reason for the problem with localhost is the fact that when an HTTP request comes from the localhost, the java.net.InetAddress class that is ultimately used to format the remote address of an endpoint returns it in the IPv6 format, while allow statement in the .htaccess file is using IPv4 format. The easiest way to find out how to specify an entry for localhost in the correct format is to enable the request log, make a request to the server from a local machine, and the request log will contain the remote address in the same format as used by HTAccessHandler.

That said, while looking at the code I discovered an issue in HTAccessHandler that causes it to fail to process allowed requests under certain circumstances. I'm going to upload a patch for this additional issue shortly.

By the way, to configure the HTAccessHandler to achieve the result you are looking for, one need to use the following .htaccess file.

{code}
<Limit>
  satisfy all
  order deny,allow
  deny from all
  allow from 127.0.0.1
</Limit>
{code}

Cheers,
Michael



> HTAccessHandler - allow from 127.0.0.1
> --------------------------------------
>
>                 Key: JETTY-1239
>                 URL: http://jira.codehaus.org/browse/JETTY-1239
>             Project: Jetty
>          Issue Type: Bug
>    Affects Versions: 6.1.22
>         Environment: Ubuntu 10.04, OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-0ubuntu1) and Sun JRE 6 (6.20dlj-1ubuntu3)
>            Reporter: Anthon Pang
>            Assignee: Michael Gorovoy
>
> Looks like something is flip-flopped.  (I guess I could try forward-porting IPAccessHandler from jetty 5.)
> Remote access isn't blocked at all, while local access is blocked (404 or 403 if GET .htaccess).
> I've reduced the test case to this .htaccess:
> <Limit>
> allow from 127.0.0.1
> </Limit>
> And this context configuration is:
> <Configure id="myContext" class="org.mortbay.jetty.servlet.Context">
>   <Set name="resourceBase"><SystemProperty name="jetty.home" default="."/>/webapps/root/</Set>
>   <Set name="contextPath">/</Set>
>   <Call name="setSecurityHandler">
>     <Arg>
>       <New class="org.mortbay.jetty.security.HTAccessHandler">
>         <Set name="protegee">
>           <Ref id="myContext"/>
>         </Set>
>       </New>
>     </Arg>
>   </Call>
>   <!-- etc -->
> </Configure>

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

[jira] Updated: (JETTY-1239) HTAccessHandler - allow from 127.0.0.1

JIRA jira@codehaus.org
In reply to this post by JIRA jira@codehaus.org

     [ http://jira.codehaus.org/browse/JETTY-1239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Gorovoy updated JETTY-1239:
-----------------------------------

    Attachment: jetty-1239_patch.diff

Greg,

The attached patch contains the code to compares the IP addresses in HTAccessHandler using the java.net.InetAddress capabilities. In order to be able to do that, the IPv4 addresses are first converted to their IPv6 mapping. The drawback of this approach is that it is not possible to use partial IP address in the allow and deny clauses.

Also included is a fix for the issue where the wrapped handler is not being called if the request is allowed following the address check.

-Michael

> HTAccessHandler - allow from 127.0.0.1
> --------------------------------------
>
>                 Key: JETTY-1239
>                 URL: http://jira.codehaus.org/browse/JETTY-1239
>             Project: Jetty
>          Issue Type: Bug
>    Affects Versions: 6.1.22
>         Environment: Ubuntu 10.04, OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-0ubuntu1) and Sun JRE 6 (6.20dlj-1ubuntu3)
>            Reporter: Anthon Pang
>            Assignee: Michael Gorovoy
>         Attachments: jetty-1239_patch.diff
>
>
> Looks like something is flip-flopped.  (I guess I could try forward-porting IPAccessHandler from jetty 5.)
> Remote access isn't blocked at all, while local access is blocked (404 or 403 if GET .htaccess).
> I've reduced the test case to this .htaccess:
> <Limit>
> allow from 127.0.0.1
> </Limit>
> And this context configuration is:
> <Configure id="myContext" class="org.mortbay.jetty.servlet.Context">
>   <Set name="resourceBase"><SystemProperty name="jetty.home" default="."/>/webapps/root/</Set>
>   <Set name="contextPath">/</Set>
>   <Call name="setSecurityHandler">
>     <Arg>
>       <New class="org.mortbay.jetty.security.HTAccessHandler">
>         <Set name="protegee">
>           <Ref id="myContext"/>
>         </Set>
>       </New>
>     </Arg>
>   </Call>
>   <!-- etc -->
> </Configure>

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

[jira] Issue Comment Edited: (JETTY-1239) HTAccessHandler - allow from 127.0.0.1

JIRA jira@codehaus.org
In reply to this post by JIRA jira@codehaus.org

    [ http://jira.codehaus.org/browse/JETTY-1239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=242603#action_242603 ]

Michael Gorovoy edited comment on JETTY-1239 at 11/9/10 3:22 PM:
-----------------------------------------------------------------

Greg,

The attached patch contains the code to compare the IP addresses in HTAccessHandler using the java.net.InetAddress capabilities. In order to be able to do that, the IPv4 addresses are first converted to their IPv6 mapping. The drawback of this approach is that it is not possible to use partial IP address in the allow and deny clauses.

Also included is a fix for the issue where the wrapped handler is not being called if the request is allowed following the address check.

-Michael

      was (Author: mgorovoy):
    Greg,

The attached patch contains the code to compares the IP addresses in HTAccessHandler using the java.net.InetAddress capabilities. In order to be able to do that, the IPv4 addresses are first converted to their IPv6 mapping. The drawback of this approach is that it is not possible to use partial IP address in the allow and deny clauses.

Also included is a fix for the issue where the wrapped handler is not being called if the request is allowed following the address check.

-Michael
 

> HTAccessHandler - allow from 127.0.0.1
> --------------------------------------
>
>                 Key: JETTY-1239
>                 URL: http://jira.codehaus.org/browse/JETTY-1239
>             Project: Jetty
>          Issue Type: Bug
>    Affects Versions: 6.1.22
>         Environment: Ubuntu 10.04, OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-0ubuntu1) and Sun JRE 6 (6.20dlj-1ubuntu3)
>            Reporter: Anthon Pang
>            Assignee: Michael Gorovoy
>         Attachments: jetty-1239_patch.diff
>
>
> Looks like something is flip-flopped.  (I guess I could try forward-porting IPAccessHandler from jetty 5.)
> Remote access isn't blocked at all, while local access is blocked (404 or 403 if GET .htaccess).
> I've reduced the test case to this .htaccess:
> <Limit>
> allow from 127.0.0.1
> </Limit>
> And this context configuration is:
> <Configure id="myContext" class="org.mortbay.jetty.servlet.Context">
>   <Set name="resourceBase"><SystemProperty name="jetty.home" default="."/>/webapps/root/</Set>
>   <Set name="contextPath">/</Set>
>   <Call name="setSecurityHandler">
>     <Arg>
>       <New class="org.mortbay.jetty.security.HTAccessHandler">
>         <Set name="protegee">
>           <Ref id="myContext"/>
>         </Set>
>       </New>
>     </Arg>
>   </Call>
>   <!-- etc -->
> </Configure>

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

[jira] Assigned: (JETTY-1239) HTAccessHandler - allow from 127.0.0.1

JIRA jira@codehaus.org
In reply to this post by JIRA jira@codehaus.org

     [ http://jira.codehaus.org/browse/JETTY-1239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Gorovoy reassigned JETTY-1239:
--------------------------------------

    Assignee: Greg Wilkins  (was: Michael Gorovoy)

Patch is ready for review.

> HTAccessHandler - allow from 127.0.0.1
> --------------------------------------
>
>                 Key: JETTY-1239
>                 URL: http://jira.codehaus.org/browse/JETTY-1239
>             Project: Jetty
>          Issue Type: Bug
>    Affects Versions: 6.1.22
>         Environment: Ubuntu 10.04, OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-0ubuntu1) and Sun JRE 6 (6.20dlj-1ubuntu3)
>            Reporter: Anthon Pang
>            Assignee: Greg Wilkins
>         Attachments: jetty-1239_patch.diff
>
>
> Looks like something is flip-flopped.  (I guess I could try forward-porting IPAccessHandler from jetty 5.)
> Remote access isn't blocked at all, while local access is blocked (404 or 403 if GET .htaccess).
> I've reduced the test case to this .htaccess:
> <Limit>
> allow from 127.0.0.1
> </Limit>
> And this context configuration is:
> <Configure id="myContext" class="org.mortbay.jetty.servlet.Context">
>   <Set name="resourceBase"><SystemProperty name="jetty.home" default="."/>/webapps/root/</Set>
>   <Set name="contextPath">/</Set>
>   <Call name="setSecurityHandler">
>     <Arg>
>       <New class="org.mortbay.jetty.security.HTAccessHandler">
>         <Set name="protegee">
>           <Ref id="myContext"/>
>         </Set>
>       </New>
>     </Arg>
>   </Call>
>   <!-- etc -->
> </Configure>

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (JETTY-1239) HTAccessHandler - allow from 127.0.0.1

JIRA jira@codehaus.org
In reply to this post by JIRA jira@codehaus.org

    [ http://jira.codehaus.org/browse/JETTY-1239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=242630#action_242630 ]

Greg Wilkins commented on JETTY-1239:
-------------------------------------

I've committed only the fix and not the changed handling of IP addresses - as we really don't want to change behaviour on jetty-6 (other than fix bugs).

We should port this handler to jetty-7 and consider adding extra IP matching there.

> HTAccessHandler - allow from 127.0.0.1
> --------------------------------------
>
>                 Key: JETTY-1239
>                 URL: http://jira.codehaus.org/browse/JETTY-1239
>             Project: Jetty
>          Issue Type: Bug
>    Affects Versions: 6.1.22
>         Environment: Ubuntu 10.04, OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-0ubuntu1) and Sun JRE 6 (6.20dlj-1ubuntu3)
>            Reporter: Anthon Pang
>            Assignee: Greg Wilkins
>         Attachments: jetty-1239_patch.diff
>
>
> Looks like something is flip-flopped.  (I guess I could try forward-porting IPAccessHandler from jetty 5.)
> Remote access isn't blocked at all, while local access is blocked (404 or 403 if GET .htaccess).
> I've reduced the test case to this .htaccess:
> <Limit>
> allow from 127.0.0.1
> </Limit>
> And this context configuration is:
> <Configure id="myContext" class="org.mortbay.jetty.servlet.Context">
>   <Set name="resourceBase"><SystemProperty name="jetty.home" default="."/>/webapps/root/</Set>
>   <Set name="contextPath">/</Set>
>   <Call name="setSecurityHandler">
>     <Arg>
>       <New class="org.mortbay.jetty.security.HTAccessHandler">
>         <Set name="protegee">
>           <Ref id="myContext"/>
>         </Set>
>       </New>
>     </Arg>
>   </Call>
>   <!-- etc -->
> </Configure>

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

[jira] Assigned: (JETTY-1239) HTAccessHandler - allow from 127.0.0.1

JIRA jira@codehaus.org
In reply to this post by JIRA jira@codehaus.org

     [ http://jira.codehaus.org/browse/JETTY-1239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Greg Wilkins reassigned JETTY-1239:
-----------------------------------

    Assignee:     (was: Greg Wilkins)

this is available for somebody to work on

> HTAccessHandler - allow from 127.0.0.1
> --------------------------------------
>
>                 Key: JETTY-1239
>                 URL: http://jira.codehaus.org/browse/JETTY-1239
>             Project: Jetty
>          Issue Type: Bug
>    Affects Versions: 6.1.22
>         Environment: Ubuntu 10.04, OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-0ubuntu1) and Sun JRE 6 (6.20dlj-1ubuntu3)
>            Reporter: Anthon Pang
>         Attachments: jetty-1239_patch.diff
>
>
> Looks like something is flip-flopped.  (I guess I could try forward-porting IPAccessHandler from jetty 5.)
> Remote access isn't blocked at all, while local access is blocked (404 or 403 if GET .htaccess).
> I've reduced the test case to this .htaccess:
> <Limit>
> allow from 127.0.0.1
> </Limit>
> And this context configuration is:
> <Configure id="myContext" class="org.mortbay.jetty.servlet.Context">
>   <Set name="resourceBase"><SystemProperty name="jetty.home" default="."/>/webapps/root/</Set>
>   <Set name="contextPath">/</Set>
>   <Call name="setSecurityHandler">
>     <Arg>
>       <New class="org.mortbay.jetty.security.HTAccessHandler">
>         <Set name="protegee">
>           <Ref id="myContext"/>
>         </Set>
>       </New>
>     </Arg>
>   </Call>
>   <!-- etc -->
> </Configure>

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

[jira] (JETTY-1239) HTAccessHandler - allow from 127.0.0.1

JIRA jira@codehaus.org
In reply to this post by JIRA jira@codehaus.org
Change By: Jan Bartel (03/Sep/12 1:39 AM)
Priority: Major Minor
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
--------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email
Reply | Threaded
Open this post in threaded view
|

[jira] (JETTY-1239) HTAccessHandler - allow from 127.0.0.1

JIRA jira@codehaus.org
In reply to this post by JIRA jira@codehaus.org
Jan Bartel closed Bug JETTY-1239 as Duplicate

This issue has been moved to jetty eclipse bugzilla: https://bugs.eclipse.org/bugs/show_bug.cgi?id=396567

Change By: Jan Bartel (13/Dec/12 10:05 PM)
Resolution: Duplicate
Status: Open Closed
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
--------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email