Jetty

HTAccessHandler - allow from 127.0.0.1

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Duplicate
  • Affects Version/s: 6.1.22
  • Fix Version/s: None
  • Component/s: None
  • Labels:
    None
  • Environment:
    Ubuntu 10.04, OpenJDK Runtime Environment (IcedTea6 1.8) (6b18-1.8-0ubuntu1) and Sun JRE 6 (6.20dlj-1ubuntu3)
  • Number of attachments :
    1

Description

Looks like something is flip-flopped. (I guess I could try forward-porting IPAccessHandler from jetty 5.)

Remote access isn't blocked at all, while local access is blocked (404 or 403 if GET .htaccess).

I've reduced the test case to this .htaccess:

<Limit>
allow from 127.0.0.1
</Limit>

And this context configuration is:

<Configure id="myContext" class="org.mortbay.jetty.servlet.Context">
<Set name="resourceBase"><SystemProperty name="jetty.home" default="."/>/webapps/root/</Set>
<Set name="contextPath">/</Set>
<Call name="setSecurityHandler">
<Arg>
<New class="org.mortbay.jetty.security.HTAccessHandler">
<Set name="protegee">
<Ref id="myContext"/>
</Set>
</New>
</Arg>
</Call>
<!-- etc -->
</Configure>

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Michael Gorovoy added a comment -

I've been able to reproduce the problem.

Show
Michael Gorovoy added a comment - I've been able to reproduce the problem.
Michael Gorovoy made changes -
Field Original Value New Value
Assignee Michael Gorovoy [ mgorovoy ]
Hide
Permalink
Michael Gorovoy added a comment -

My apologies for a long delay. I've finally been able to look into it a bit further, and discovered that the reason for the problem with localhost is the fact that when an HTTP request comes from the localhost, the java.net.InetAddress class that is ultimately used to format the remote address of an endpoint returns it in the IPv6 format, while allow statement in the .htaccess file is using IPv4 format. The easiest way to find out how to specify an entry for localhost in the correct format is to enable the request log, make a request to the server from a local machine, and the request log will contain the remote address in the same format as used by HTAccessHandler.

That said, while looking at the code I discovered an issue in HTAccessHandler that causes it to fail to process allowed requests under certain circumstances. I'm going to upload a patch for this additional issue shortly.

By the way, to configure the HTAccessHandler to achieve the result you are looking for, one need to use the following .htaccess file.

<Limit>
  satisfy all
  order deny,allow
  deny from all
  allow from 127.0.0.1
</Limit>

Cheers,
Michael

Show
Michael Gorovoy added a comment - My apologies for a long delay. I've finally been able to look into it a bit further, and discovered that the reason for the problem with localhost is the fact that when an HTTP request comes from the localhost, the java.net.InetAddress class that is ultimately used to format the remote address of an endpoint returns it in the IPv6 format, while allow statement in the .htaccess file is using IPv4 format. The easiest way to find out how to specify an entry for localhost in the correct format is to enable the request log, make a request to the server from a local machine, and the request log will contain the remote address in the same format as used by HTAccessHandler. That said, while looking at the code I discovered an issue in HTAccessHandler that causes it to fail to process allowed requests under certain circumstances. I'm going to upload a patch for this additional issue shortly. By the way, to configure the HTAccessHandler to achieve the result you are looking for, one need to use the following .htaccess file. <Limit> satisfy all order deny,allow deny from all allow from 127.0.0.1 </Limit> Cheers, Michael
Hide
Permalink
Michael Gorovoy added a comment - - edited

Greg,

The attached patch contains the code to compare the IP addresses in HTAccessHandler using the java.net.InetAddress capabilities. In order to be able to do that, the IPv4 addresses are first converted to their IPv6 mapping. The drawback of this approach is that it is not possible to use partial IP address in the allow and deny clauses.

Also included is a fix for the issue where the wrapped handler is not being called if the request is allowed following the address check.

-Michael

Show
Michael Gorovoy added a comment - - edited Greg, The attached patch contains the code to compare the IP addresses in HTAccessHandler using the java.net.InetAddress capabilities. In order to be able to do that, the IPv4 addresses are first converted to their IPv6 mapping. The drawback of this approach is that it is not possible to use partial IP address in the allow and deny clauses. Also included is a fix for the issue where the wrapped handler is not being called if the request is allowed following the address check. -Michael
Michael Gorovoy made changes -
Attachment jetty-1239_patch.diff [ 52117 ]
Hide
Permalink
Michael Gorovoy added a comment -

Patch is ready for review.

Show
Michael Gorovoy added a comment - Patch is ready for review.
Michael Gorovoy made changes -
Assignee Michael Gorovoy [ mgorovoy ] Greg Wilkins [ gregw ]
Hide
Permalink
Greg Wilkins added a comment -

I've committed only the fix and not the changed handling of IP addresses - as we really don't want to change behaviour on jetty-6 (other than fix bugs).

We should port this handler to jetty-7 and consider adding extra IP matching there.

Show
Greg Wilkins added a comment - I've committed only the fix and not the changed handling of IP addresses - as we really don't want to change behaviour on jetty-6 (other than fix bugs). We should port this handler to jetty-7 and consider adding extra IP matching there.
Hide
Permalink
Greg Wilkins added a comment -

this is available for somebody to work on

Show
Greg Wilkins added a comment - this is available for somebody to work on
Greg Wilkins made changes -
Assignee Greg Wilkins [ gregw ]
Jan Bartel made changes -
Priority Major [ 3 ] Minor [ 4 ]
Hide
Permalink
Jan Bartel added a comment -

This issue has been moved to jetty eclipse bugzilla: https://bugs.eclipse.org/bugs/show_bug.cgi?id=396567

Show
Jan Bartel added a comment - This issue has been moved to jetty eclipse bugzilla: https://bugs.eclipse.org/bugs/show_bug.cgi?id=396567
Jan Bartel made changes -
Status Open [ 1 ] Closed [ 6 ]
Resolution Duplicate [ 3 ]

People

  • Assignee:
    Unassigned
    Reporter:
    Anthon Pang
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: